fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
Size

648KB
MD5

ae3869d9dd0d4c338b733de01bd775bd
SHA1

01605bd61757dc7c73afa2379fd8d87701ab5c7f
SHA256

fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52
SHA512

ed944bfddf007a51c42242890aa65410481ba5ccfe1649e478e99f7462c5e7a0936b78e9efb99deb7e7e43d7c32eea435741f440a07ee956dfd8281523391c2a
SSDEEP

12288:hqz2DWUnTNjYGgpK/vnRsmH5Ckt73qfKrrzD89f24pWYbCXGah2JoHq1MGJlyw9/:cz2DWgTNjx+mZCkt76f/24pN+XNqNG6L

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4480	alg.exe
4360	DiagnosticsHub.StandardCollector.Service.exe
4304	fxssvc.exe
3040	elevation_service.exe
664	elevation_service.exe
688	maintenanceservice.exe
1908	msdtc.exe
1324	OSE.EXE
3224	PerceptionSimulationService.exe
3556	perfhost.exe
4860	locator.exe
2960	SensorDataService.exe
1712	snmptrap.exe
2996	spectrum.exe
2480	ssh-agent.exe
2224	TieringEngineService.exe
936	AgentService.exe
2008	vds.exe
4160	vssvc.exe
4616	wbengine.exe
2664	WmiApSrv.exe
1972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\519c3064c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\System32\vds.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000788c1b6ca7bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bbb2d6da7bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8c3736ca7bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005076466ca7bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b655696da7bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aefacb6ca7bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062dacf6da7bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4360	DiagnosticsHub.StandardCollector.Service.exe
4360	DiagnosticsHub.StandardCollector.Service.exe
4360	DiagnosticsHub.StandardCollector.Service.exe
4360	DiagnosticsHub.StandardCollector.Service.exe
4360	DiagnosticsHub.StandardCollector.Service.exe
4360	DiagnosticsHub.StandardCollector.Service.exe
4360	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2492	fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
Token: SeAuditPrivilege	4304	fxssvc.exe
Token: SeRestorePrivilege	2224	TieringEngineService.exe
Token: SeManageVolumePrivilege	2224	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	936	AgentService.exe
Token: SeBackupPrivilege	4160	vssvc.exe
Token: SeRestorePrivilege	4160	vssvc.exe
Token: SeAuditPrivilege	4160	vssvc.exe
Token: SeBackupPrivilege	4616	wbengine.exe
Token: SeRestorePrivilege	4616	wbengine.exe
Token: SeSecurityPrivilege	4616	wbengine.exe
Token: 33	1972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4360	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4432	1972	SearchIndexer.exe	106
PID 1972 wrote to memory of 4432	1972	SearchIndexer.exe	106
PID 1972 wrote to memory of 1680	1972	SearchIndexer.exe	107
PID 1972 wrote to memory of 1680	1972	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe
"C:\Users\Admin\AppData\Local\Temp\fbb652ea4a4da2fc04634c38bfee2fb67fbb27152e4b1dde6e7d08613868bd52.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4036

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1908

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2996

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4432
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
70f5f74f09028add908f7ae3edebe623

SHA1
6339b7bdf86e80567cc2180696e421f7783450bf

SHA256
9d2198374fd867acaefeed5ec966a2bda3ba30b308dd0b3bfa2043a521412484

SHA512
ad5a1d626cd07bd2f9ebec679917acada23ffecfb3dd15b00b085e3e920a66c404a9553436e73d064fe8944eedd20fe6c7f2bb038fef7da347357107c7c614e3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
ff58abbda8ad123d9802498d37f8d8cb

SHA1
844696eed84bfdf08094b0d7450a43b0868e9023

SHA256
a616844bd5748f3839b15d9b3d25ea68ef0087d8a7f42d0a095c0dde923b84b4

SHA512
eb910de61d3e1122e8846bce35985bf9098c5fb998feba48cd44668e3918db256a0f944f8f5bfbb850447f14c0e4fc934b6f03759a836d4fa036b59a174eb336

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d25c92dc95f740d81417333b8553abc7

SHA1
c64bf3b2898ec638a667aaf1e1dc5d4475573b1c

SHA256
5b6d815c3ce1e920cf6a4e5831c5ebafc4552901a3bc33b769bf1b5f95ab64c1

SHA512
227ec93b95c335fbb724f6d42c7a4e86ff43276ae41af29b68cd950289059bdaa5b52a42bb3ea1be2f138dcd6b6a55c60c0900a3d43393b6a4bfad67b8990dd2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4ff266cd09365222e21971f0868f63ee

SHA1
136921f3abbfdc1288b846c7d69ff3cd5e7ebe14

SHA256
e66fd8d7790ab4e3756d31feaed7663a34bf7688d10f2b154419a08a6683a649

SHA512
630a84159a4b54672b64ed72007912fa7f626c54aec1d26a06045977454640220b09ee2ceb56c57660fa6cc1dde5032f9d671cfc493639da0ac167ef96ea3c60

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e151952b4d59431eb83dd2363082343

SHA1
1e4b1126295ae1e48d53a7aebf359c2f68726a8b

SHA256
352e578c0a3da17221f380c3647232b9188c5ee2e268c7caca186826c140d107

SHA512
be38ce6d56ff0bf77c58ef9d7472fccd10ece7942bc8db0a122a87585748bf16452ca0451da120b1e0e27d3ed9853db7fdcfd3248508a252a0919d00b60b3dc9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3af4904e3f88b67faca77e03bf7e3419

SHA1
5059437547ece3eeaca9885f26f39899258eac37

SHA256
278052d5f0f04c24777998c460f9f3a74b322e1026ffb8fd76166008571f7660

SHA512
3206798e8d7d7e1729614569a4685c66fca4080e38dbf5b3928af122454eb526c1d04a455d1aae5c53575ef457cbfe3518129a5b8d28dc7cf709555584c0a540

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
79a622b614366e6387b16f3c5073b1cc

SHA1
7820ce82e25b686f26d2721311ae4835d352c783

SHA256
e8291a4370f4d474d2b2cb9b20565f50568b4f8e8c1359a0c409aebaab0f5fda

SHA512
04b9a836aef8acb83e1caf0ce39cec40de01c76cd45738b2579fd91374d6c43a2980d5b501bc14c07da83ae84159ae0c20cc6374e59672aa93927f77b944a282

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
663c5dea1012eb4ac5ac4adcefa02df6

SHA1
7220d4aad7adf5c904d10ee6f7341a59e7764d9c

SHA256
ad40fadb2eb4a1758668b75c805277e498ae3a07ee899d91838cb75be269dd21

SHA512
17679ff7cbf0dcd447df5d11209e696373b4c215470d9fb168767621cf822ea4a89a3c3041566adda04bca1145bbe2122b96d02c2b4d2f70cbccec420a997833

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a4916a9033fe17f24860b20db050f67e

SHA1
ef3155a77529b0a6222a920b2de2790bd822499e

SHA256
fc83c2303d4f3e54e1b004502ee8d5792e41a19b9c640f56cc0df686a558932b

SHA512
a961383c333cdf464518deaa8b16b10af6e1a3493f1f770ce71304ba4ac4560ef7f34648c6bcb72f74b98f7291721bf1c83df9ee156221845bb4d6cbb33950a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6f446ffa2b65eb60864f477f16aec687

SHA1
5ec9a17ca54698637eb2ac1ee32dfe6f1d58389f

SHA256
82a241c522dce07230013ff8f19841177041a57edc33685150dc3db65ebbfe24

SHA512
25d139c4f15e18d2796112c13d492e155d78459fcc9b62857350cbf077b87013f4ea648da4334c968926aaf1be39d22c80b55858aee161b2b1faa74c3bf1809e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
085e0f16e907e0c4d7e81c8e6bc016c2

SHA1
b6b892fb94373a27174a50b435fb87ee1c5da990

SHA256
e73cb737b4e7bd96138f5f95902c62cc7b03c43cffb6b779b88d12a89ab7d02f

SHA512
975f0ae5cfbf70ee17798be1d1da7a5bb9db27ac8ec0ec3fa86568874f70c3431334ce2121ae6b134359bdcb5a0aadb756805a02a63df3fe3aa4210ce0e84351

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b85d4a40c4020e8888d0675d9d7ae65a

SHA1
e24b4722241d93e17643ce7a9b15e773779d718e

SHA256
e443dd94610125acf62b96e85e01ba663de7358ef3e3f080b5e72108495c9a0f

SHA512
8684519687aac99d256719e67773628351cd7a1f6f484bc0dcce4f215d3b3cf21aea1bb5463675e3f553d70f88a3aa2500201c9bd8deb1460db619c1a8ebd75e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
403f8024e2aa0e7b50be9520096f325a

SHA1
26a1a6f917a15713450071bdab93bdd004e213f2

SHA256
207373c45f651d2358fa0cb1ab137eb89aaa83257eefb7b0b7422ffb9a612771

SHA512
2df46eb65be5d589f50d827bc12b2d0fdc3861192c51a9929abd47503e75b692a3422e1b67da8042e23f54aeb7abe532e8dd4e9db7c69d98d52dd15e4a61bd22

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
aed4c71bbd574752870112594fe0cced

SHA1
27e8c0b0e27f54b64c84d47872ffff09c2b08e2a

SHA256
4c7cebe3e626086ae52002ea3c5af57d4a5649907aa0a3d051abdde5b3ecb2e9

SHA512
7b4a0c979398b11ab6ffd8580cc962f3e261db23db032f189e9ab967211a1d2ffb52a2419b3f073027055667d47b63c184f3d5608529eb714902f74f0630f51e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cf51ee1d03bc9b146d93b1e0a0d0dfe4

SHA1
7af49192dcdf0495a26e1194d308f32007e71752

SHA256
5d385a17e0bffbce9d00fc32a3cc4c0174ba02447c5ed54fe8d7c030fdc790db

SHA512
e9b4067556035794ce8a26f507e3a419fc810d5cd5408b18d2c9e7bd64c7350e1ec842a50c0ba69a05973fad059f7cfbac0ca6c3cdc84c7210b1d05183ee2581

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
919a00ab270f9cf7a7e4220fda355342

SHA1
242adec8b727731ced78c352299582ff8830c88c

SHA256
be7854416d813e64470912413bc7c2ac521c4dcbd51b6ba80f8c75d1e4f0f250

SHA512
11e6cb64b7cbdd11d4b9a125f898a468712235c2a6fcaefab38d65b980a8ded739cea884a610cf28915e157593485f6b0c91f09d23ef352317810b1786bbaf98

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f54037f55dd57dd71aba9e6416a0f03a

SHA1
b797558c2c7670700b77d089d63f9fb080c22ade

SHA256
c55be39bbe9e72c4546e67e97c7a86cbe87c9bcc5067e6a39a95f94a40e730e8

SHA512
05b885e1e80a2913527c420af037b783c6c20b336c2fce54703394c60f7eaf3c511bf8380aba665d9e7d3f9fc277a69e671d362c923230452940e21c66d05f4e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
17eae481d7e8edadecb111f0c3539953

SHA1
4722402e32ee6407b88e57d2234ed80287d6f526

SHA256
93bd526d9e5c2265f6897f60320ef3147db01dcfa73a66dd528ca4bf49296309

SHA512
14b6b650e6f126729e30b708862767c8e6236804c54c185090e8ef49a754f9d56c55ca187c7e113bdb790a4ddb03eebad8857bf619bcb13c83fa32e5cb33062f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
88e99240d9a1efe7b1261d1a090e9030

SHA1
1b0c7e15cd7a95db404f5e4758b52754013b128d

SHA256
93711af3074bae126208c0a19aa982a6c7f1ea73c02db681d4f745ff1a67bd12

SHA512
135587b9b8d7e9b4107f108282a246ec3dcdcf8133d58faba60978c38529d328421b5d2a69891845855f991ff6d4c7e211709585be8263334eb200ffe95516d5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0f2e77c6722bd5f69728292494625f60

SHA1
07ca45b84069ec653fb2e6ef9c852147ea88b48e

SHA256
312de33f1d9ba56dce6d851e7337bd91ef4052deb54523f99ca2fc4ec6740afc

SHA512
b220fa139a11ba0870b04e7cf8b058b2cf68c8d4ffff878c69696dd43ba38b4ec101432d4a4e59f51a1341d43d7c240ea4daa83d047491229772906e120e061f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
aa2263fa354e653cf8084be8f3c79a93

SHA1
eac9a54fca4de62a6f32ead766839cbedc65ffe3

SHA256
49e0ff703445d51274fc12c5eaabb28c70192fb6f6379ff24fb99dc24151626c

SHA512
ca730e2b10decb0a78475c063036141c024ce654762dbb129e31eaab03d0bc8074aa75a9b600a11d03f660a045dc5ead5bb07c95083c1aefc3bd81152c5267e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c9aa688cfc6ce494b2c2f2cc385492af

SHA1
552835161059f996ae9fd214a0c1a8c5345381f8

SHA256
c5f6c4eebe782e8f5fc4db2ca360d2bfce63ee747258b9ab2edc35965cc89a70

SHA512
767043eb284b43afd0549c59fae633f12df2f14c68da1d8e6fc1acba71318e6b434b3978be0373d7da8ce678cc6185b7b33b7701b1203acfa6549190955af3d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1f3830ebb3a32d6032eb6f657f4e6918

SHA1
b6aabc78b12c670c3863e9552508a95af14c352f

SHA256
e7f3958ebcc6815754b4466f117c57a728bd7d0b3f8ea0c9f652e773c138f328

SHA512
14d46e8ce963b85827742d3bd67b64785a6f6969a6a984046903ba25b79397053c7b8ebdd1fae833f281ebd7360b26d14fbed6106213ea083d3bcc81cbca079c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3c8d66727b4881de506168fd075ad7b2

SHA1
aeafd0100c198711f47eafe874eb447871e6d21c

SHA256
cd880f7cc96c168e734f8cea699e2d2fde56c50c5c76f3b86de5e72d64243730

SHA512
be6779ce75d0c12c711f49fe40ead5d961d1565cb03af8fb2e086a98ffa81086d42b571702039969c2f8c6c69ccac43b9dc34bf926127e02be2e7b2cad0c4e6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
87de354395e7a40e3e2fbe76680daea2

SHA1
543fd4e438e38401ef4f7b788bfa3e6241127683

SHA256
174edcff5016f7cedbc31f963e0b0b0ebf0b978b3aa86b34d329193a7cc7eeb7

SHA512
0d5c1b5675d1f168950457761be8dea13a113313785cd0f53d5f6e4a8ed16e438060c668fe6863a0c9ae66095513724222098d534054f36689edbba660265690

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ece57a7c86b09d8e1f92b6ccf8d1d515

SHA1
4b65e8200f96ece316c891dcadb6b2150525dc7c

SHA256
65dff5d00c0424e0811db9cc52fa3a36b66d5d700a89c9a0711d7d66ae988809

SHA512
2371dd850848add703f01f4a78a34717ed3e2e1e2875bb8413629d27cba1f70e8335317fbb069c1c02399753a880b25e8c155f667ecb3bbc0a106b4cade2360c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
644a2a2fbb84c5d77c14878f1200f6ac

SHA1
929de0225c92f57a06370fdd48eb81e28022b65f

SHA256
2e71ba1ae4458507824454c4dd620091f5608ae3257817b00743a24b3cbccbdc

SHA512
8f46aa1934a8cc1a9d94d6523667bac044ef944ebfe9f3b24721c6c7e790c1e0f7702aff3fe77fc4cd7023674c704662e635cd9e7111b2e9a6ca462965d2068a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8ff8b732bbfad724d30e7db60028e8ef

SHA1
43c6ecce1f2170e7e3a1cb11964ef959d4c3fb60

SHA256
dbce07879598623405db75f901dd828689551d99d45c68246fa418f5895937e3

SHA512
6a16e39d5c393f23a26665ef954df565831845278c9a5d8233153de39304e7973a129372bbddb460e1debb7c801cb4b4715b0f473a369afe15be4164c4f8c37e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
75ac6b1f769c9ad988a212aabcebe70d

SHA1
0771b9d15e4e3835ab0e8c0de8f462e549666394

SHA256
d5d6409a88690cb7c4946bd989e50d24cd22324824673a4817d4ede9331ee21d

SHA512
38fc0605594758b133f594dbf3c0ef8dae8f5bf798e6885157d59b4d0469441295dd65cd060cb1ac8f4cdd3b4f136937cc24c80680b80ca2e34960d2b68d87bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f38fd92d2992ac05aa6e2282e7a68574

SHA1
424aedf686616945ba4c5a9b75292384f2919d07

SHA256
493a6f0acc14af564cc41fedbabaa98cbe568321a51169bf10612bcc19bd9d02

SHA512
7019621a292c377dbd384f75f6d7a39b3b2859bce1825df4d36c59ed120d422d2b273baf3b20adbcc9a3fdc23c971c283353882888ff101e94e6efbe181f5dca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0c52c3cd9a33e2e38d064a6c7841440b

SHA1
8e0ed7fc957b635922387dc22bb488dd69636104

SHA256
c232633200aa35af5d5ba3fe365f35511488e7aca97aa9f222ddfd5a3b3d29bc

SHA512
79af66f2d8defe2b5c2d797690dfbe65cbbacd8c986201006971c6b4b118ce0e87b5f7f5c69047b5fe1e1dbad2473f07c1c0e247fd627b0c2814d3603b9ce2cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
dc20009718ced6165979f9e6d99e2885

SHA1
6afe9320f82aa06f11185847e7a0d6b104378459

SHA256
0b661780dd07cf406c8a89163590bcf849fdf1c9aaeb22bc6e705e37425ee020

SHA512
7c4012ae9aa0cf03236562be19f8a274694e7063ac7fafb10d363439743d85451c79948504c7a46ae3d7a6df3aa0900b92e4f57fcacedb80bbf4491b1acd2b2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
479e8716372fbb9b7c10cbfebeedf26c

SHA1
9fedae972fea2d7fa56798ef15a708ef07502cd8

SHA256
7888074e354c16d9d5f66bb70955d5535c5e5ef037cfb04f2fe0306c7cd3e05f

SHA512
c6bc66af58723bbef99470517ea9c1cad2ba4ffbf246389006a5e994f124dd7ea2e970d98ac897fda0c3a29ae2ea942fa8237f69fabe61855c5c9053d51eabde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
22d6219db9d269df32de6ea1de8628ea

SHA1
11a2e134122b91285777dee215463ebf5caf7331

SHA256
c0d9b6e0ea4de81a9c79bd08f88151db7ed836fcabcbdaf9082fe30bb2ae0b7c

SHA512
72678a1aae221f8f4529c3c12c31641ab796075e548c67e8940e1a4e235d7ba9df2ec5e55aceb0c1203ce701995242916ab848077fc15bfcb2e7c83c72b6bee8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
8863a59cfcb06ca6dedb1e1b751f95f0

SHA1
5d8b9ac07061eabd4fd48a62558e44c559ed3090

SHA256
eb0fe5c3a8aef36346a0b46770520f8f74c49c81f785a1d49c2189a0d8130393

SHA512
f9992486cdc38128b4b29c29eebb67acfcc20e7c3d6ba2ccf400a2ec09f6b5a881045a15f79c03a573043e9df86411ebd4ab6d2643210732d7f0a0e910791335

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
852be1b937a847eac2e4e7c81e44f1d8

SHA1
eccecd9375ad3619fc2410e56202f9200eebaa02

SHA256
8844cf9090f35aa3f2a94866c81c908641e4946a0919b5d7b1677e063cd9ec83

SHA512
22a238aa78837b2359c919ac27d54292c7612e187cf69cdd838cb25dfbd0bca9b8cf9c8249ade6a1da5ecddac39d8846754c90a36e3ee5e2b569ebd32285851b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
364a2e37ab1738993b134c441ce7e008

SHA1
a4539b9dc721d341075ac180a5373ce9e85f12d4

SHA256
b839fa42e450cc915ef4cce8d8eba8ad68a975845453f93c73594466b829babc

SHA512
9d2982365516189fb858da83335cdc3112f8fd1024b39a9711ea04234d7e5e6fb3403995d9111775921e799354d3b80e70a6992f0b5bf540769817430bd175cb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dd065a03866ff8cd74d57f0c4f798c23

SHA1
0ece6b5451b8d07ffdca75559781b8814c04105f

SHA256
1ae7c7ea6e97cf9bd2728410d2d89a26653569ffeb6db32e535e235a270e8832

SHA512
d21832987b418be8cfe6b9a7c7664d1abc39715d7221c92572bede096d18555b89ccbedb490e4d34bb409d1ba55611d26ba0405f3556ee24a3f83527bf8c71ac

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f5f4f0216ec98bbc6a51f087bb634b95

SHA1
bf58b69b2aa2787f6811e878ca97449b50921e77

SHA256
a095a44c01be9a8470692900a179e4753490dd4d14c6d24987169aca3e9a0500

SHA512
a6f2304b251b5016a836c8d70d7299cf349d15855aee17262ef8fb5e6e766aa1206de22a02a8dad19f27213ef8643c2d082823ee2242d33dfa7753e195a9ee9e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4e1a0086fd2ac51915b4d26cb1445e36

SHA1
70c573b55d2d7374a349907deef2fbc7f968ea22

SHA256
6e9eece219e8869664e7fa474a6dac7cfab87faac5dc2830143512bab5b9e72c

SHA512
5c7985f621f69be2d8967d194411779472a0514eeb8d1e2f1b42924ed4bfa47ff3950586135c2231f92c458261be630e78d1cf6099beb02344de945e4d2beb8e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4b66b05437d449c98d8ff4ce446ef2a9

SHA1
2bea4c92dfe797934faade2e8a9f3d236b4aad10

SHA256
adc983d8335f31fa52d1678124fe70fab96cde5a7fef00540e8dd14177159a19

SHA512
18c8e3fb20c93a5d992c09b7c2094b6e80c260cb7ef3fad2b7bf519e92f2efb097f4760ac27866c7044a5e276b48309ccea6c0ab230c9f420d0299db1a52ad4c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
41a55b65dbe2b480aed7318220301873

SHA1
d867ae5d4b5f3f599bff64e732739a843f2d80ac

SHA256
f2975c2a8d228d64514c644b47a0ebd3bc20fbfe18816010b6202cf263de8792

SHA512
f70d621a47262687d747ed325052ed62f8961a0e748f1b4330090bcebfe0d18243004c80794c86c07ec8c3569e3538ea7e5fc078633079b5b1d694439cadf262

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eb00a3ad7c28630c868dcf65cbde5c26

SHA1
7a27ed424acf15e9cf8e491bb086ebeb08aa1094

SHA256
8a5eabf696169850172828502eed1d93cc21a3f11f1aca6997f24250edaf3dbb

SHA512
cc8c1d7b715e693c6c22fd0bd0fd324554c5c0570a81404e20af41c7e6d81d517ad5cb7001d06dfe9d9cea65743f3233ae82a0fb0966c16b054d9746c651800c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7c4db6c5ec041f18466d39acc3bbcbb1

SHA1
dc55c56fe7a0e384b18cff92de744022a83a1617

SHA256
205c6200ae834b1da81ca69d04cc7094ceda7e8f964b2c20c9ca8474a1237bd7

SHA512
a3089a9a0cf87b227ff530019103c56b27c0b4d82ced31c615de5a179462035d0d5854115bbf0aa25bac9a1f16ebabb3e9d4eae618a45887a3ab137da612afdd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
47c2543439d9b49debe7a975d6989522

SHA1
0b2f86585d5a6cc7e21dedd2e03ad94b5bb22f5a

SHA256
a0b8a07bf00d9bdfd2510bb19105ced3bb1484bd364c2de34c24839e24bca4d6

SHA512
95b774fc1bd2999d99c9bb4512ae676331672eed7de4f90e92dbddb0a094d00af2c20afa808c1d3f44b9f63c48a745ca0c769c353ac40856d04e1a641f55e120

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4c9d5dc1012cf558a149d2b726be77f1

SHA1
d7d4ccfebb9db83663d81a905aee90b0c0570a28

SHA256
ece36cfee7ff9a37454ce805c9409ce56acabcbac73ae94e46311f0609d122cd

SHA512
d1aec334cc2db9487f53f2b214f7f6b1ef1c1c53f36d8305dd117d49e3ffe9f39ed6c1af2e50d0ca3e4bea9566b869fcf12be696bae90b23e5b1929c88bbeb26

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ea7c9bd79b7d9795b1de038128763576

SHA1
daea54a766456107ce87793b66a969a8542ab321

SHA256
adc80eb7f92e16b453c9e19926fb88998c5cd0f226c27041fe71fe42e80ab83b

SHA512
abd106b85c0c842944cb516a194105cf8a1b07680666be119e22ebcf08b34930aa1bee3561c6aa77828c929fc30b2e0ef376547d9b6e4126963cd2915a9902ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
54387a33358d8c2c1f6194ba6a4ccb7d

SHA1
eeae67f0263dc8e0c2231c7df363a3b2eb06ebf5

SHA256
a30cc3abbf6eddf82fb72b292cfaa4c9c74a77bdbfa7e4f977903dfe2663a6f7

SHA512
f4ab56e79b75140ec6b703c4d9c1e77e5d970e44bb59c48745677b7a9eb1155640af227c79948427b32605da89372aad872789b0f9a4fe6ace6c9530139305b0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cf7cdabeabdf2b4d385e8790cc7aeac7

SHA1
75a354db1617a95254ec8ec6ecea2ed6969b4629

SHA256
d8bca770cc2161a12d3c23e7e8fc2b4794b1cb8de805cfd6432bb274b3563851

SHA512
e05e4445238f04c302785337b41fb472797d871cf92cbaa4a9cdbcfb3353fc37e454d0bb1d2c79cfc5de53b9cea5707be5f9fdbab28d0185bf181ffc82878c0e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e6190e5f6cbf284f61983e85291d91f4

SHA1
a3d5e81569803c239c8e586ecfadc856a98f5ce6

SHA256
5c46f92320adb6b635bee7c06004d31b86ccb693815f98fc085d208443d1f9f8

SHA512
bb444f77be8a2d3c9615d64b9194e88d6e36c1a106a35aa1eea2a236d58cba1ff349e36da9745044d2fa3e969ff68cb23ece72cc44647703b3e8379a274060d1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a3febfb0fe3f7e552293d099b1aed932

SHA1
d5f950b8038469fdb3ae3bd96789ac0d202df8b4

SHA256
70d1b16d3c5d434eeee0bac16f43d9a873755c56da5abcf3eb458bbc8cacd1a1

SHA512
95a5c3e295c7be70586c50baf3e75793d991b5deae41bc9da74952ed8e02ceb38978b75c6963eb51987e1ff8616af0bda9dbba06f544f0649c89b4d36c939774

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a66504e2213b73ea776c19963ae76213

SHA1
39b04f7f4c9fc9db25b9bf3dec56d6650e24cf56

SHA256
1ca10c39b26b70e6e6a589419c88906ab511d73764187470bad10792510fbaeb

SHA512
ac8d3ca5688dfdb5ddfd73b242b808700e83975467d0cba274c51de1e094f4183eb4a97ccf4023881ec4008130cd27890a8fa0850a2ba5082e2387ee618add41

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
852171e50cfc9bdec63ad7123d734f69

SHA1
7bd86ef291ceea869386adff0a8b85bbbdfc8dc3

SHA256
c626f8c89d8962c4661f6d16413f5915251930904a97551d87c8ad4211b96e91

SHA512
2eb4ef951e564d801c0b4be26bd8799547d161bf62ae8b379923dc54506a76f34a884e77121aebc2d1926436f4ad007092c7d2946f0eacd003f680d39a419f79

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
68db23e307478fbb820c151ec68e4544

SHA1
d4c4921ce7a4cb71a77872d1b31a1c80411e5cd8

SHA256
a3412d96689ae1db7870e0197b3e10c1d0bcffdde39fd73af3bdeca9221af215

SHA512
5fadee68687a46e29533b337a09aa336a37277b33a6476cd9f4075826a9cb088668a83cb9c76acd61f3b6396955d502f9a3605d437107acb05ebfdfca3e94cd4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3e27c7060b5299061ac62b1b72ab7e6a

SHA1
fd20979ee3fc92f1cfd62dd17eaa5eafcff2d5aa

SHA256
b4845753617a4278530360c4aa63f1129c4be1ef97295a8f95da4585fc106107

SHA512
36b32bbccadde07f0f8d260701fb0e62cd92ae4668a0cee0bd987eb015d31110b7f248d90a1a851f1b1265a6387fd459a98a239af66d66b808660ec5cb777320

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6da3cba4f87a2d8be2762e5712b68a9e

SHA1
2286d152d9fd2ec08b8cc2e6ad6ae6253151e0d3

SHA256
a2e7f042eb5e816423f2f46bb7bee91076e8faaa7697d0b3fc03dd5229c58611

SHA512
24e5b7935fc4fee7009dafdd9f6399c3fb0fd4e26675e83cd632804b189983284c768fe029c4739ed4def214183019989ee7db59e1a236f23b1a8ead978ed10b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2ab0ed75b66f089db6a5f0476e5060c4

SHA1
c04d22f165f47b878fe0522e3c0fa889357ee0d5

SHA256
cc23d026c5da11f8448e8db975ee48e990282d8a2062fa04ab410073960a176e

SHA512
f401e8cb9fd147703977d14565869340655af55260e719aeb7cdaa200b3982550b7ea3508a78ce79badcb54fb89d9a176ef3fa6a9a41e21f836b2ad58085331a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7f0a8bc76f747bf4e7c8946a5f0428fa

SHA1
29cf6442398f6bd1b73b45a5cf76eebdd0990373

SHA256
0aea3c08582304c10fc5502e45f44c884fb8ab04281945bd41fc90372a058459

SHA512
5ceaf72c8b46ff2ab2174a77934d55b111d8bde313f3f8d79295cfdbfeb5ebb3df2014f651514477f59528d989fec88d40404de1e6fc11f994ba83866ecb1385

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a3a03025419bad6260753247b11709a3

SHA1
ac3971533f1eb3dc9d706ff6d92cec7d5c93ecdb

SHA256
865b9cf23fd37531fa94f95ebf1f10741805e3c99b0eec57cac2239accf2bb5a

SHA512
3ab54d078a38f6656f2c34f42cf8726e7dd7e147130107c6e29986bfdd79ed23a7970f55ad505f6d78f3e3d6fd3fba40ac3006da88ae9db26987a87725ee50ee

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bd2da599c9959ddafa5f08f5fe0581c9

SHA1
2fb4685e40b04d1a07af7ae697a4296f3d73bd65

SHA256
13287f84844b0eab300a21d4fa0f508c8e88a2503ef54a5ba9d6e350f112124c

SHA512
ac0f6aad996d8870926a1092778519eef73d94f659a8853aab39fda4a1f5fbf15fca5e81866d4210dcc8b2fca6e8fa639539cf457c67b8179b2e20a2e52b88ce

Download Submit
memory/664-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/664-561-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/664-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/664-207-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/688-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/688-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/688-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/688-69-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/936-196-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1324-226-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1712-211-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1908-219-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1908-87-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1972-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1972-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2008-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2224-215-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2480-214-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2492-501-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/2492-500-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2492-1-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/2492-7-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/2492-250-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2492-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2664-565-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2664-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2960-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2960-559-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2996-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3040-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-560-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3040-56-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3224-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3556-208-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4160-564-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4160-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4304-85-0x0000000000DF0000-0x0000000000E50000-memory.dmp

Filesize
384KB

Download
memory/4304-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4304-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4304-44-0x0000000000DF0000-0x0000000000E50000-memory.dmp

Filesize
384KB

Download
memory/4304-38-0x0000000000DF0000-0x0000000000E50000-memory.dmp

Filesize
384KB

Download
memory/4360-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4360-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4480-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4480-457-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4480-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4480-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4616-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4860-209-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download