73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
Size

1.4MB
MD5

220aa6a279279d54d035cf5727fe878e
SHA1

2391ff8c9e0b643b342689c15e1529ae254c92ae
SHA256

73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114
SHA512

2d5d43afd95b1a8a43e4430376ce7e2c29c76c4246ec30c6706abde62c006f6324ee5993b2d342c6eddce8e2327728665ba0e12dffa32402727fc3c1553390eb
SSDEEP

12288:b2pO3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:SpOHofe3y1sInB2COzRq8DvFqt

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
720	alg.exe
2892	DiagnosticsHub.StandardCollector.Service.exe
2376	fxssvc.exe
2780	elevation_service.exe
1032	elevation_service.exe
2996	maintenanceservice.exe
4796	msdtc.exe
4524	OSE.EXE
3612	PerceptionSimulationService.exe
4440	perfhost.exe
3140	locator.exe
1824	SensorDataService.exe
2240	snmptrap.exe
3948	spectrum.exe
4444	ssh-agent.exe
3768	TieringEngineService.exe
4368	AgentService.exe
1896	vds.exe
1264	vssvc.exe
552	wbengine.exe
1396	WmiApSrv.exe
1360	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\System32\msdtc.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\spectrum.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\vssvc.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\System32\vds.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\wbengine.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\dllhost.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\AgentService.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1d9dde30c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3308	3244	WerFault.exe	81

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d91fe615efbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3e43015efbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7b30216efbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f15a2715efbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017e18d15efbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2892	DiagnosticsHub.StandardCollector.Service.exe
2892	DiagnosticsHub.StandardCollector.Service.exe
2892	DiagnosticsHub.StandardCollector.Service.exe
2892	DiagnosticsHub.StandardCollector.Service.exe
2892	DiagnosticsHub.StandardCollector.Service.exe
2892	DiagnosticsHub.StandardCollector.Service.exe
2892	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3244	73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
Token: SeAuditPrivilege	2376	fxssvc.exe
Token: SeRestorePrivilege	3768	TieringEngineService.exe
Token: SeManageVolumePrivilege	3768	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4368	AgentService.exe
Token: SeBackupPrivilege	1264	vssvc.exe
Token: SeRestorePrivilege	1264	vssvc.exe
Token: SeAuditPrivilege	1264	vssvc.exe
Token: SeBackupPrivilege	552	wbengine.exe
Token: SeRestorePrivilege	552	wbengine.exe
Token: SeSecurityPrivilege	552	wbengine.exe
Token: 33	1360	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1360	SearchIndexer.exe
Token: SeDebugPrivilege	720	alg.exe
Token: SeDebugPrivilege	720	alg.exe
Token: SeDebugPrivilege	720	alg.exe
Token: SeDebugPrivilege	2892	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4616	1360	SearchIndexer.exe	111
PID 1360 wrote to memory of 4616	1360	SearchIndexer.exe	111
PID 1360 wrote to memory of 2124	1360	SearchIndexer.exe	112
PID 1360 wrote to memory of 2124	1360	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe
"C:\Users\Admin\AppData\Local\Temp\73acd43ac2f66274b0d4afec577228d0f8d9406cb81d205ad0187f4bf34f7114.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 936
  2⤵
  - Program crash
  PID:3308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4796

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1824

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4488

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3244 -ip 3244
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e4e59895fdf0ceb95302584daeb5fa1e

SHA1
712c5163e737bb498c7ff6624a015e52abfd6357

SHA256
34f476cc6227c606c613a272dc5c4576da629dad90a226f58cde3bf3696b38e3

SHA512
226b00abc24662c161a6684c65442c2d66e1c6c32d66701c849763adc6d0bb01345b57382f8164e8abe8dff3312d6d597d44f4df12512c182e91b2ac5b2ed860

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
a2e8042bc5fb992e9edc1b6d0e9e15c3

SHA1
5844a118a3e2e292cc9ce2c2f74dc5fecdf306ef

SHA256
21b423605a74f6a59fb1ebee0a35b7899e05e95dc86f8716a90eef29118f090f

SHA512
8bf1bb8c8e7dd1139e74a77f12d6ee45d70587d4f9a37ed1744747d702c4224e09627d4750cebfd5fea1ea11383b4a44e4e396599ee5c01159edfb91ac2c0b87

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
116109f8bc4aab8a2bcb8aeac9560109

SHA1
9813c30710e5e18f1b6c94a07e5c43862a4e6fa8

SHA256
906d7825fada322dae6b55748f0b8b6133f30b360edaca612a18886951a1a528

SHA512
ee70a6c214d9f8292098e00c20b3df435b03e5a8358eee112806bead8526739501ac0785d84e5eb89bd96de54fe0fd3338ab97715ba5f61f157e710c57bf37eb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0a0ac3d3ac796415ef87e6ee0e44aa06

SHA1
68685c4c2aeae60e05e8d6a2486b3dadce1e097a

SHA256
bc1ba00487d38be87c0108156929189dfecce547ee8947d58051a812fc8fd114

SHA512
71fcfcb6aa8fd32a70973afb33f41bfe415bbd185f37367c1c1664bfc91e6eebc6b56930a2cf65d7b9af683421b4a9320e9082ccf5df36b99178265f0af6a0b4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f12f8fa19e7e576e70efeb9751a4582c

SHA1
c7652a0aa1c2346378f72da902970d027ab6d733

SHA256
8765a5d83a20e908c0e8666d63819dc33dfc4f0a96b9fcbecdb0a0a4ae5b38a3

SHA512
09e94b90887f370cfb815a0f231f46bfaf3dd5f8aa9499a7a2360791aba6560809bf04beb93ae6679f989dea029f78263cf8c47082ec6451330f99ff573f103e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
c58c574d827653ec489e308667491b52

SHA1
bee60c67c78c586d18115983be62a11cfd7f7fce

SHA256
9f90419ed8bbdc7826db45c23cf1ab4c79e171a3bb8bed47714775721b9db724

SHA512
8496d6112ef0804d32ee7b742392273568f34d6f348e967c744f8b1e2726d9ba813f03be4cf6274877bbd3021afe242f2be05717f085d2e069641a4157f1fd2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
14f9f681ca9620a027d59ded130dcde6

SHA1
b5e42a499eeab75ff73a155a1ba1b3244feb9b54

SHA256
f7b3737e2e8ab47e70c3e19017dbcc839f4a0e72a9b9548db76f6bdf5f659004

SHA512
b0926506074002957a7c39ac31b06b534d95a95177f3d899f3b6a6b52c02871fdb6f480e420419123c78d27496e1afab5f42444e095a875dd4ca3c4b8a2636ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
83175a01ad2586508de9d72246465ce4

SHA1
12a97a9759701a4e5b01d311e9d25ab2104dbe23

SHA256
885eefe66b039474a0dc19d9d4390ce4dacc6ea7d8e40a1af3095150e60aae46

SHA512
9a6479cad4340b0432ec67d0b669dbab140aa497a89b31849a89945b12f7ae28c0a0179b8061577f63258aa46e5d7a3da56cc1bf086943f472f79d34619a3d2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
68ab1e79b877314e58afa5d74047df87

SHA1
c3c3e50d57befc9fc92a093b38bc56eca3e32798

SHA256
c5bea797ca11f4db6674d89f805d75a1bbcbcad864daa13662eac0f6ef260cd5

SHA512
9c5b83c59a161601a19e749ee20900bb0362e5464ce2a8dfe1de8164a69c7d5cc70595fd70f6a1db14eb9d648cc875ff779203dc509b410a03a3309cce35562b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
13bdefff308b141d5894af4d491471ef

SHA1
42115ae9f3b32e361326823a4e5fcf8e349bb070

SHA256
059b8b6c7fe75cda919c084e62bd7368d6110061b8482dddcb80d775fb023614

SHA512
96529429d0a2386e69edc8adf14cf5d78971a20cea9c42d636255351802e9605e2b6bf08da50f809de81586f11948fa3c3be182dd4ff190a9c8a47c0e74a0db2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
28d661e78729eb5e940778746609a210

SHA1
390bcedbf00e4a6b49b61a67e66bbe866cfeddd6

SHA256
3d09acda6d4bb35c8b5deebc5f111a42cfd21f9b7c5b12f46e9117e38d392af6

SHA512
161ecd68d6f042c5e16af296f3ce8cb91ee9b36ad31cb480b756474b0ab721022f6feda0fcfbd77fd8f0100df2f382728290f20f5c59621847832f5460f714ab

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bc790d2d649d9469b63315327f7f13ae

SHA1
0c18d36d5a4ad85f43633a003c934a72faee6952

SHA256
a72ee6807bc5aa9120325ba8f731aeeee6b21b4675e1234b4a0c3c2188916ef7

SHA512
c24ae183ec55b12b22c7929edef9ffc6aa47629b342d4fb50266e6b4a9885ccbd25d021b25d388b347a6a7b8059a4fe9577c3cca77e2dce89fafc5865ab862f0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
e8ae58b565c6ac8230814af5511fa486

SHA1
6f9989cf407bfca17a58c0a14cb0ca81a6d0b4e5

SHA256
2fdd986f3bcbec397ffa896bcd086a2262688acb20c5a804d955ce8f66ac90de

SHA512
ce33f0195639c16703d21b34dc00713f17cfd0cb194aaa4c68e206b4f9fdb801d16ce2710623d4144892e9556f3422b330021800bdc2bf01863cf7f4ebf15342

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
184e97d1e9aa1ddbd1b0763b50287658

SHA1
7fa65db85b0f1509c0af9c25d712b78bf83b1126

SHA256
515727f458d3b1b60dedd677dea395ad70ba4c44eb13ca43786a47464a1cd0e6

SHA512
0d378ff2403069c4ea06f64fb3558b7f4c9013e75f2571cbf184e58631b5404e0ccdf7a01e0115fce85cdef8afaba2afcd4c17a7e24d9a95bcf31efef38b66c7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c9fa7fc6d8fa3b33ca6fb8a7854b37f3

SHA1
cbb64c8189a2d23f38db7bb2b644d0b4df305b9c

SHA256
1ccc259e5f03798b9d99b3dffe8291357a415d53cb8cd730880c2b726b5c6f41

SHA512
5b3b60fb08c9f13bce8dbf5b50436f8e290f06e2f8f1d39b5ad785b6ff0eebbe22ae9a684151836212b15af0f56a245097c5deb470efabf737aa9ab6ab1f5dfa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9260b912bf1a8f63bad83a4d58542074

SHA1
a61bfdbcfacb2d96f9bfa03ed28f52d9196a9a6c

SHA256
f5655b2e1bc59f1c2bf1c1d18a72753b2c9d1f657c4356504138965e89344f74

SHA512
cdc7eb0a1e533ffa330e2e9dde4ff6c60d01b0cc0a02b7030fc860baad0940845ad93ea988ef2e9c5c70c69e9de80788a27812dc06922f642d821878dc25fe15

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c39ee3cc608d0b9343454bda2fdfe795

SHA1
f791d53387854d8f9bf49ce7dd0820c3e11abb78

SHA256
783c850cb718c33339be93911df1d227dac6619a09ae1764e4def9601fa8b96b

SHA512
f02715a79efd7811f8c23791745300a7fef8c8acea59111a6d57ab7498a2c6543f5afb87459c02f30a59b451f12a5e361f5a22880db27b6a7a70352acfc3d4a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
166258fc1743cc41ffae1de22668b235

SHA1
07b40e0f4776777bc5d414b866a129eb65cb3bd6

SHA256
88af0c5e706749e1153dfae17323e37fdc07218a22871f386f79cfa311968939

SHA512
912d12adca432ae038bfeb9c624d18311a1d33e3c2f329e2fb457a26531fbe7b881092aefbfce1e491627bd592c2e165388c26b4f92ea190e873fc9f30761c05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c2d7e93536432a37c2f341823c3e7f30

SHA1
238c9e7f0fdf77813335eb9536a0bff6abb5942f

SHA256
c0cf65fcec63fa8b72e56811c99be53dca59fb6a5964b778a2bdad8f9aa62a17

SHA512
3765131e9631e30a87a6eb7f56c76fc4bfbe415136913acf70fd264ea2c798c2168277052c52be5cf408f5c24d4f844e5f5e72bb6953d89a2fe4179e1c68ae0b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8d78de01b2d0d08042795e478963b43d

SHA1
e67deb9e2198b52f24f6550add8e8e6822225ba6

SHA256
e953ea87777754f5ac82588bf35350e2a546e70b6713aa754007bc3ff3edf1ee

SHA512
c9214ebc93b0e3375447fad395f72d5ddd469081df886033e48d1d6eb9be3f75412e649aac1de61e377b0e2762f01d7d2c3609d14b2ae935ac9eb4582922b0b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
076a4daf7f51e1850d36b4c109281693

SHA1
44d4b4660dd42c2ce3aba165d80f66c0aeb01038

SHA256
dc052cbb163ffcb4dcf49dc993c15e2205c3649995d1544a43f33e4790d249bc

SHA512
95ffbd5846c1bb6d6e1b14b7fd28e9682b4bb5c6d24747dd4024d6e8830810fab415baaf67c5a439f3c33348ddd758e3992a359655094fb71368fc4236a32da7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
f268f44a23d2caf7e9adbc43f3950e11

SHA1
73d3dcf63fcb30c0c2b2e009a70d1483469e72e0

SHA256
6beebd70170fd4a90da53c29804578fe5ba521c1b3892ded7b6678da054a58d3

SHA512
8e4e01d1e9c77296acb2ea34e47167b4ae0c359ec1bb84c32fdbd025658f09ef54b2c7fcf7b5e1c484a8b5eeb2e76c39d58156eb40112012377d75e0b84e103a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
c56cf5e620a342a70e02b7579f5d5e4f

SHA1
78eb33b193002d0e1e94c6f9a6434afa7b39a554

SHA256
9ba3c563ac93c229200ed15c669cfef263f375d94fb9b5dfaa6b8033ea025037

SHA512
a97c2601780844c19812fec3f100722e1d0fab0f101d6defc2f015c67edec94e017d5a75fa5121f528cd6a179af259abaf0fef09b9de76049007737c0b4acfbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
271f0bf21626f267b1c98eb089bf6343

SHA1
b59a43acce3278e5127a67152ee7b3c777b508bc

SHA256
a1b34fafd76fa456fe87235925af4c9b39a8cae933044a08ca3b444d786aa019

SHA512
0f4abb3dff2b8761a72a5c68deaa2e70e509dff12f40303de0cab6681acf9f00ce4904d81c36ffb804164ffc1d3f97172d014e26139411c6324f0b1dcd92a136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
f5a73dc4995d518892e7f2bc840d3913

SHA1
e184e4af64a8a9e248ad7400faa1ee9c9a2107e6

SHA256
c79fa46ef909569fabfb190e7fc7ac021b7bc7a7dea3a33cea04d5b7f076d8d7

SHA512
177daeab920735427ac174b5980b774a40c5a2cf6b18c414a2d8b1a5fc96390701db79b421bca83ef28bba802610c0a1567b8b6cae660d651b2b27c79de4c5bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
18cbe9e381be02933ca8914545ecdf02

SHA1
bed3a4baee1f630061518d496ae498baf682cd73

SHA256
8162ba1ca7a5fe789c8f869dc795ec488ba7c118e7c2aa5bab5573a19a03d144

SHA512
5e126e1df825394b22a77ff5620c6c1a6b622632b43d779df83fe229711dca7ae3b81fcc50735ca1c5c3cc5b4e9b9e1ce9585a9eb69e7f3853ad29452902971b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
6957dd7041a72b666c6f05c9e6474943

SHA1
762dd397cc3d759a975e7f97cbfc6ddfcd0a3d30

SHA256
578d8d93c05c6f79ab962021a0eb180390fb496dc7b0526e474e3d6164e1ff16

SHA512
c33470b645020d73c01e3dd3d1ea38e6cb0e17e7db587f184e9b4521a6f67d4024f25afeb5c39758f861cea72d0a64fdf636c3c1b003d061a3e5e16ac4b69d0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
1795f8799734fde4cc21740c2e9a9f5a

SHA1
f4faca847247c307b7ae7c5bfd4e74e2d95d34f3

SHA256
2bdebb0e19c33912bd3be3a5425b5444e410420d68c8e21977871623c2afeba0

SHA512
b36c391e08ecd5eccf389d1a253d25f588142c0cd7b34d32b18e9bcca1e1c1bb8a5a57e17e431f130b6964362d13bff1d7a5c08c73a2a69d204dd8d57815e5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
65afec75ad7772ed1a06867a870ec9c1

SHA1
19f941124b4c102273d712879545c9c975a8a4b8

SHA256
38fcc2634cc1098fc1ed07387cfe246835c64321344f82abaa5f862090983288

SHA512
de284acaeca93c78d0548d1f020e04a2adbebae110bb54bfbd82356b642fe3efdb11720137ac173926097af4cf81e36c7b3def35e788b8822bb131bd573a98c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
69c26da6c10f2317375a82183150f328

SHA1
746941645680df354669a96bd9e6d0ee136178fa

SHA256
b9d559de1dec8812f618f266aec8bcea2d15eb1e82d6245125316b99f5de1dec

SHA512
f28fb19970316a71f2d46b9b94d45094aaa718f44f658126070af99d45f7a6b99252b77ebdbd0790dd0564ed0648d8df58a7bfc6e5abcb6f106624917e555364

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
e67c1ee40a2f507427f782bbf459a1a9

SHA1
f2181bf0dfef45d3bd84f9c6e864b078960c4dbc

SHA256
95da4a779549ed60929a36efac165f23eef58e465449103e55c6c87b99a300fa

SHA512
c71fd2b69892ef131479e82a85f60f6ff758a11d9fd07505b5057404c8a4cc2659ce4b8512eb850fe8527a85b5b93d71492fe62bb0207e44d7ca506397f9442f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
b2ac2dac141e83a9fe28f579eedf0b2e

SHA1
829ab5ad77596203ed2ca3adbdc9590b0f725cd7

SHA256
9fd979f1af2b37aaadc72edee460eff98f9b7d2d582c0c924e57e1a06b0003ec

SHA512
9b3249c1e2e223eb867265576ae814725d1b0502d474ec7f310a892e8219e3437685403d7ae51cedaa897304eb1cd971815b0514eb45aacc4532be5d1ef0db76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
d0536e500c58f4fab9b321617be1b44c

SHA1
1c03dcec90f476853bd910c32e213c3b41748283

SHA256
1ac823c007f51e33a1419acec636382cc656a4e734ba1cfdcd5c15907be28896

SHA512
bfab3f12384d20cf97aab4d2fe26136c45be78b4a38d34bc67eeb300ef6dc97fdcda35361fd8a47f4c64f8d3da1d6cf8674a477e78d9fafcee81097cc8e345eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
6dfc70789122ad785dda709d6502e620

SHA1
2e2a190219d5079b9bd326b43b0abf5980d37fce

SHA256
dbfcf77e7d1f962ff6d64c4072695b5bb669898e5e057ed8b01f1eaf9d1ba61b

SHA512
71926853d5e7540be1ff4f55feaec2aec53825bd1aa49b3f03b4bd842c5436ed89564f53ea4d999c67ac7a4135ee8e8a072c4bf19ea589f192ba3a672720ac7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
9126a6e97d44d8d77dcf7c9f140eed3b

SHA1
9dac566aed9a19779f617f287a763aa6d10073f5

SHA256
14caea204d8089a9933503634e51c51d961dd6cfbc6547127bc506db753be48d

SHA512
9fe66e500af4067bb9ea4f86cf48ead65fa9ac32659a0102e454cce756c5658dd0684e0b1ba860a5ef20bfe617afac0ab63a0901dfe23b7cc90a138be9a953af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
9f32df5776cefdb8bfbf0a59c3bc07ea

SHA1
d90c8d160c39b662871cffd5ccd018e90fb75904

SHA256
f8971113a63fafb01171191e592712db61bbb12911a64f6d3f6493259cd15620

SHA512
7dab4682a83ee24b61a1c68756968dd87117c0a5bfb3c495b68d667caa695719309216e699d2ed6b1ceb8ccf83223cc8309fb365ad3bf90071fbf75e2b068fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
28eb95d91231090e323a5c535b5c7d28

SHA1
134529321faf5a8812f76d011768af39b5c7f412

SHA256
3c5bd30711e461259261f10489045b1364048bf7626f278025b24a6e428be906

SHA512
dbff9f635a31c432afdc78ebd911d8da0ffb89a6c445c15f99465edc1c78055ec4d7c02f5f051ee2519a16f00c7b029101ec6a8137d9657e6d4fa23f353b7fef

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2cf71f7322903e717528ddbd9caef4b3

SHA1
d9cf338855a18f63dd18d871917d891e76cfbf57

SHA256
813421e152378f280c059344b7bbbf119c25721ee20ebc6ae34f0903201d4645

SHA512
7b99b2cd1f7182c731d51a1c8b8b2bf34f637f6de104a3993b340d7eddd4c3cc452c43f1490501da1542b8ab8869e09612039d9c40aa0d5106830d6fdb64ad80

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
2cafdb025cce64ea7b1e02ad07663e7e

SHA1
0af613a81344ff308a0ae668e3e2dc5704b4af5d

SHA256
d614b4ac6603e0e881e43c603398e1a3b16a1cf5184842f02748cb35c22c5942

SHA512
ea59ff3add89eccb91cab244fdf66dc8db6657488f1f5916f9ab27de0faec1ed2421cf8e24e3190628d7f10d6946d9fb72248123a8e2e4530f93f8e55fa0e0eb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
b16179ef401c5571a695af968cfd657a

SHA1
069292e72e123e47e0a5ba8aa7667bfda463bab6

SHA256
d194a5618e57fe378ef1e8ac8b7ede106145e868e24baaebd5b121ce1ae5f150

SHA512
715e2e61e2dc08970deb29d2362bb6c6ff8c79302d4bc2488874d7fcd22772335f3dd6631d766409151c0ee1e50568b2ea010f63707709497afddd8f3122615d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6984cc0a37fcaf867f1328d3bdf8c8ef

SHA1
72c09cf35755526798023824e7e5712129785966

SHA256
b3f046410b566fc1b1f2dee4dc5262f564604c9892fcc64515a251514713255b

SHA512
3bb2201c0a272dbb1fd772289ccf39ae4197a6079dea7d0d742959a37447b2b0751eb2939219538a2fc11ffca2a70b11991a0265e6ba6fcd186c6258d8650370

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
564627d7fc4456e12a438ac2f164a4b4

SHA1
51ce0cd075ea0d5ef11a8b01ed266a904c5aa567

SHA256
74be85204caa2ed15b9ab5334282b3ceb45234ee258ea2068edcd4adfae681e9

SHA512
265c2e464102841bc0187814318e48cc69291092078736f30ede4139b37d0aa048fdfe39eaa28db9ee64588b2e79527d71256ed082a6ec20c7cd28c6741c3472

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
06dd5c63c48038de19e6fd08545f2e5a

SHA1
8a62adb0ef33966a86f279f175a61a3f3d77b385

SHA256
b0b1548b5e627092f4cf3e617bfe0bd965ee8f3ba08b44e356c4bc2d65d2ad5b

SHA512
a28888209900291288e7c3fd62ebbcd2bea7e633139d74012d45e3b30214ef68c2a8412d9b83a8a5d6165896b2c9b82f7070f9a2b372268b9650998462db94c9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
f6390ae77f01200df100a1d83bdeca0d

SHA1
5a6ce2238564cf49bb4d55117b23e5eafedceab0

SHA256
830df8db3a0f579b2391ba1a0b486bf971dda6d97b4d6a81fcd31365772f1e1a

SHA512
45ce2d8594e02582cff67e64fbbf201966fb4f0786b91eed9fb523605a13394201bfedc94f8e35ab543e668d15c58270106e22454d7e43e0ad2ef267170a3e31

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
77ccf83f43559c5924e2a45e76d042c4

SHA1
7f8d57bbe355cde67ef7a9cb3836e9a0d6899c31

SHA256
9e8ca80f4a3eb8e615e0b91c01fd65f93075b42b0fe85f1f3b367209ef6ec65a

SHA512
e5521c1d0ebe8e809e245c57bc9ddf8f5ecf698ba6829f648ecadc0af94108acf1a684db077ac2e16145deba8b19453641e99b29c2b49db6c2cdbd3df0613101

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
a472336a3acf78ef85dc85fcdbf07aef

SHA1
221279658868686a1cce8bdc978c401259769f9b

SHA256
29f22458b69723de7bc1264dafd16c0b04d06705d9e22c56ef69a42efacbfd21

SHA512
9b0fb09c867d5c2a4a43b34611f92f162e1d5b62de82062a135bff2fc8aa444d3e115b26153ad9ad70e271519e648a8b5071a58ed9f7fe0218f6bfbd2e9269c7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1eb961f4177ff2d1232e6405aab91f2c

SHA1
de66fe8efc54a062b77d48b6295e5b1ff06d2f0c

SHA256
45dae8e0642049d307dbef529ef6374101cdd6bae81c5794b4867befcab7171b

SHA512
d34af02c9db7b7ed043035acfb62ccb98379edf79eb0eb8169b85fef4626d27b7ee52854abcdf71efd2ddcc88cd763e763cc19572c240cf68da60a1c596a8cbb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1b696fc8d70e7aff43da319eafba073f

SHA1
410e85fb910d052165b74efc5a876a966e806d73

SHA256
787e032149232341650f81cf102cd8f9f53f0b7963dc94e4a95e106d93b412b3

SHA512
2e8d439f6f5bc35e79cf75ad87a0118768df4ebbfbf761972e02db6d3d55ea55583b53a05a2e1540abeda05fc5e434d40154ac31e1ce802b4aa7a2688af5d277

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ceb88f5f387339f1ae2273da4a1da23b

SHA1
d7200968669bd02349941f09c1a6f1c53df70626

SHA256
ce28465bbf3807db4c26092162f30358c93c180c3aa40a2c53eec180226addca

SHA512
2fcd6850673366b4b877e5a79a4e0da193453819da250c9db1d26458f6691fc08f1892e33eab8129dc2a9aca0b53bac8a10e55253d9f0b12c8bc55ddb985f62a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
5e48e04d8935af6ed9d5ee1ee4f7060e

SHA1
9822faa661d3004ec6a918098bb473058aaef1b7

SHA256
879ca297511cf58900a1738bb164d40d0b76e20961603d365c11b8f8bbc6e10e

SHA512
9971267a227718170ab2b051e210dfb02a6bf696797b5280cdc521b7df7f0866cf1e8e9d43cb7dd42e5d259ea9f242cbc8dec3e58a30aefcbcb7f0fe69f46d5f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cda075eeb3744c76a0f79efe428d0504

SHA1
d1f439712152624f334466e1af8eac06b9de9890

SHA256
71a1fe054c0aacad2e15bde520e06f87e51c5df453d45a4911dda2c9547a0d0f

SHA512
e9234093332f80f8fb17f216a7eaf6153dcd400754f64bbb679468c197d635fc7b7c5077dbb4e27939bf3701cec98931635669205eb714b6c55755050e627581

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
61bc821c37038851a713cc0f39c5c0c7

SHA1
17b7b024ee8cf59271312fedfada07be69cd837f

SHA256
fc63c13e81d34cc67af220491abd3910c19dcfa8d141e62869d1a4feb459d5d3

SHA512
4db892009b75544be429dc70d1b4a97ab6d7186323e7beece8054b202606764f0242898a258ba1a3ae94a98f6c0534ad745c3ab6a86dac81617eafc87088e8ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
2bc9a4136010ce1395a07390e5b53827

SHA1
8e6893de490d3f4f73f01370f8dea0059f8e590c

SHA256
033e117b4c02ac3823a22a4f3117aa10458a0787897e3095c1bb17dbb6098471

SHA512
a70626c2f688952ddf0eba361f02bd9317ec10f286f13d204eb5d8f75c677daaf3ee54666cb25aa75defc80bed672bdd8c951af2836d32e3556a544ccf132855

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
b395f6c499b18207dc37a00a962c33f4

SHA1
ebbc514a1953b7458240e3bacc700d617aa92c22

SHA256
b59fa6d6b78546d49ee160d42123013b561ffaad7c521659e3964e406a1efda6

SHA512
eaf6e91e2db33ea957775ce9c6f9a97389a175ede81f3ea68b0aec7cbf6ec7251b0b19fe3f920821710eb3995e444f30b95dfe5aa1a16505918ed8c866a171d5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
95a139309d8cbd549a02e71dc21b95a7

SHA1
efda4307df09d2595c3e06816f33864c55a88b8d

SHA256
8a3676f90491748627c6b349289db3708a226c0d8e16d05229b21868a56174d2

SHA512
45c1d97637c1fa3add9c57c57737389f7f5b831bf2ce1c5e82aab806ccf954b942a1f7a0ecc415505c16c4cccc0ee18dd7a07a1599afa632dcf7107f9558c3ac

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
2b359423c30584a1e8627706e25a2c60

SHA1
d4677647b6406d51d11301d6d9db2f0845547ce6

SHA256
d954b52cbe9213647def2fb18a6e8225e213dab31976f4cda22977ef7f8e2a82

SHA512
87100b06a10e721a47448acc44ede7ac6c411ef66709fa1f85ea4920923e08ca896640ac3ebdb5976fd37490dee7fcd820fea5fd64a0fe78326381e804e1177e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
10a237085a7adde48571ff6749487a24

SHA1
765f8a2988eac784bd6fa2b19d233827bad1cf1f

SHA256
d8acb8e73acf8acccbfb777ff2c86102cce12038724ab1a95ffeb969ec761c72

SHA512
f21427cd12b456082930fe841e837a7680182da0118dd8d7d5dfdac8a199e70ba55b0b16db83192acb7eba4e84095b176d6b1b071e46f98c97fe9c45e2f86df3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c71f951f555b19cce68cad68e4a114d5

SHA1
501b423ae9e84d12e5f1f41d6c7f5a85698c562c

SHA256
587ee5f774a7b85c14a729be5567c2222504a657d2831fbc0f8d5fd2f5ade732

SHA512
af7dc0307de3a5baa9a0dc70e418650f6b2e5fd8625f45630d8e23a25fb304b47651e38eb248c58224371347cc5aa8c5c0236143e2ea5bc9cbe64f68ae87f3d4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
e5c373a28d82f57a8ba1e5f60ac5b967

SHA1
88aaeafde3adffafc7d57719f832ffeadb577d29

SHA256
5cdc7a46e1910b762c6b30277611730392170b3bd5067fc8a76fc75978adb19c

SHA512
bbbe9b377f9725cec5263e9a551826817739cf0bebb62f28732c68128e48dd90d81660b8d5146abdf08fb78437c53cda718472e637147e5c4a51626256186822

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
d8a148ac4bce6402bf23a4feb20458fb

SHA1
16c8b175a1b8c16cdc062b81ca81b4ee8bd65620

SHA256
399401ade3f0fbebc6dc1033e534dcc84832922a65287987835a298c47261578

SHA512
19c8df5623b2348f56387a289667be70effd3dece46c3b464799f3ef2e82a028bfdd8935d9915408046c3559eae081a9229bf877f96089d3462394334ec2b594

Download Submit
memory/552-618-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/552-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/720-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/720-20-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/720-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/720-102-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1032-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1032-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1032-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1032-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1264-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1264-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1360-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1360-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1396-619-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1396-258-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1824-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1824-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1824-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1896-614-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1896-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2240-437-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2240-154-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2376-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2376-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2376-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2376-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2376-47-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2780-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2780-52-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2780-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2780-58-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2892-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2892-34-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/2892-26-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2996-75-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2996-87-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2996-74-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2996-81-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2996-85-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3140-140-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3140-251-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3244-2-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3244-89-0x0000000030000000-0x000000003015F000-memory.dmp

Filesize
1.4MB

Download
memory/3244-8-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3244-0-0x0000000030000000-0x000000003015F000-memory.dmp

Filesize
1.4MB

Download
memory/3612-117-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3612-228-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3768-613-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3768-190-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3948-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3948-586-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4368-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4368-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4440-129-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4444-188-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/4524-109-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/4524-216-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/4796-90-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4796-98-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4796-209-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download