5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
Size

648KB
MD5

f99e6b5a6fdc468c22716eb9a3ca6ade
SHA1

06b552f52fba1b2fbdf6c9ad09ca9020ca07638e
SHA256

5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe
SHA512

fcd28754f2ecd9e1d83ff2bffe8f46aafdfa98b2705e759d034e7a48359bb6639530ef61bd968b55422d0a5c1852f75761d98b083a5ce158f9f88b8eadb1a637
SSDEEP

12288:Kqz2DWU0Gt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:jz2DWut/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1828	alg.exe
1764	DiagnosticsHub.StandardCollector.Service.exe
5008	fxssvc.exe
3276	elevation_service.exe
4924	elevation_service.exe
3436	maintenanceservice.exe
4536	msdtc.exe
1140	OSE.EXE
4884	PerceptionSimulationService.exe
2204	perfhost.exe
5096	locator.exe
3288	SensorDataService.exe
540	snmptrap.exe
4340	spectrum.exe
3816	ssh-agent.exe
3128	TieringEngineService.exe
3648	AgentService.exe
4896	vds.exe
1316	vssvc.exe
4640	wbengine.exe
4392	WmiApSrv.exe
744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\locator.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\System32\vds.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\810cf042c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000876ada8281c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021db6b8381c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9dfef8281c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d50db8181c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094d8e48181c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009de5198481c6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048b3dd8181c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1764	DiagnosticsHub.StandardCollector.Service.exe
1764	DiagnosticsHub.StandardCollector.Service.exe
1764	DiagnosticsHub.StandardCollector.Service.exe
1764	DiagnosticsHub.StandardCollector.Service.exe
1764	DiagnosticsHub.StandardCollector.Service.exe
1764	DiagnosticsHub.StandardCollector.Service.exe
1764	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3808	5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
Token: SeAuditPrivilege	5008	fxssvc.exe
Token: SeRestorePrivilege	3128	TieringEngineService.exe
Token: SeManageVolumePrivilege	3128	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3648	AgentService.exe
Token: SeBackupPrivilege	1316	vssvc.exe
Token: SeRestorePrivilege	1316	vssvc.exe
Token: SeAuditPrivilege	1316	vssvc.exe
Token: SeBackupPrivilege	4640	wbengine.exe
Token: SeRestorePrivilege	4640	wbengine.exe
Token: SeSecurityPrivilege	4640	wbengine.exe
Token: 33	744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeDebugPrivilege	1828	alg.exe
Token: SeDebugPrivilege	1828	alg.exe
Token: SeDebugPrivilege	1828	alg.exe
Token: SeDebugPrivilege	1764	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4804	744	SearchIndexer.exe	118
PID 744 wrote to memory of 4804	744	SearchIndexer.exe	118
PID 744 wrote to memory of 1232	744	SearchIndexer.exe	119
PID 744 wrote to memory of 1232	744	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe
"C:\Users\Admin\AppData\Local\Temp\5da58bc8cb59edb352d0b5d19d5ab7468fb29ebb9572c73b8835edae24ff85fe.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4808

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4536

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3288

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3272

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:8
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
9f0122763387e2f25398e73c515017a9

SHA1
559049c571b1a447e91c4a6e85e0c8196b3fc3ad

SHA256
24a18b3bd1b3b476069218701f98dd979e2f76501104966aeb4fcfa478596237

SHA512
4c7109299edcac93989a44a3ce2c228c899813593d09b47ede37b2a395b835e0539980395ffa10d4f03944b876f4e7e302996ba4d19c669bf644ac60f1f2ed86

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d1aec0d9645fef2d502727aac6122972

SHA1
a4228fb3053671efba1a14ae76d2e9fe80e5e0cf

SHA256
18e9e8b7e055411b654136bfda00e107356da84b315bea587f9c9c322a5b1ad7

SHA512
162408b830c241571ba77d6b2c69fe54c5c8442348194eb90b8ed9dcc31008b39d2e8deb984a52d1e2958cf6cfe41d3a3231a03f365476d4364d32594f8b46e3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bcfa3aab64816c7faeda40fbde28ee6a

SHA1
2f4a55a392a602ca2844c6a2d81101842d483be2

SHA256
5824b5aafffcc8d4c0e67a7c6e44c30cf7f47a5264567ffe240a11254b980359

SHA512
e3d79b4a4b223f9ad6c5d1eb69e04fec35fa01f849ec96e3cb367baa51ae7ad1342244f5355b7bef7983b15f648f330d10561b954eb1572dc4c2c9f83668367c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af28a133747f95f5d32e4d381f58aa43

SHA1
34e0cd5be247f997064e580c856af1af4e273fcb

SHA256
893969bfcf2b5a0a68d5ba9bd9a3d2b26513c2a4640f031556997bf00e151f6b

SHA512
ea4e096bab3e1f15dc3a5cd4d494ba5e2cd03bf8fdb7f41e9a0b4611d6b18406c497eae40090d8dc65954813bca4efc54f528899b08a708b93f158a7c0d87b4b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
28758ebd2e11732737d2984f96e5f522

SHA1
7a094b714305c2740164a4c3b0317ed8b082ab45

SHA256
29d50e1bac296c9f4ceafa2397e0b7b884b1e7263420530b30c137cea324fbc3

SHA512
d5a156939eedc6d688a61dc7494e7f51e7cdf61ef18e6535382db125490f74419ee556ec881cbd7f9b700496f9ceed2b78eff2137cb1eaad6c271d3508d5124a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6f7e4647fd027ed4df603620590d8959

SHA1
982bddc55047be30f427624341f157294cf70101

SHA256
e3dd3e1203811a793060eec4d3b700309251788e35e1c4c2a490e2a3e405bd3d

SHA512
02bddae1ef7c27cfd1679f58326b4e5d13ba4b4343d86e9d4014c6989ea32ae2be87ebb6c0b5ac124ebec70af2882c2a2bebcc882958cd2587e967c91b5d2c06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e5f1383c9b4357cda6b1410462a45152

SHA1
4eb2cff437e6dbe39bd2cc31522fd3a865b6caf4

SHA256
2d5525d77fbf5a0f3b8c506bbd4ed4f0c1fb303677882a89ab275370039295d0

SHA512
54d3cd83fe6deb82ce859c07101d5563868a16f44d396d2a571efbb028ffad9701bc4beb72d288acb9bd75af3cd4140b400b66c6e08e3516e484dc8426409daf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5a93958a9448645ce401f70d6313bf97

SHA1
37c1e859161a372f0052e9e8384cda64d0da61bc

SHA256
48de915a80d205e8f889d4f2a30382b2bfa52f64064d4bff218e050d2ae1327f

SHA512
38c1349b1670a31a6e20c3c590da86063ec12f56d53b4a31f1726dbefe4ee60fdc2407dfdc1d92e0896fec18f8691de649bd013c6bcbd67c69b67b3bb9776781

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7736cb3a52db591674a05f7a3e31f97c

SHA1
ebcffb4cd25bb559e9b122a15a029749247d4d9e

SHA256
69e193f1ef30e04f61c571ebb16d72bf78531c372edb131a0bd32e8dd670ba9b

SHA512
7c10ca83d439610c56004f0718520c6b0647e67fc7d2419b3fe827b07dab756d8f9d1cc39022550407e304726dfedf8d2b6550ad54e42bba4ee1155156cc3bac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c01a856584d69d6b47a5da03810d9e0e

SHA1
b15052b3c0988f7671d9a68a9003c6d1003f2f03

SHA256
c8bdadf5979f7477a35023782d9241a2892c0739a5a5adce294dfb4d25db42c1

SHA512
775b0d371b6a8808d349964b6efd9b0d9c5ea75449ade874048a96e4ea06385a3deaa47600712f87ac298c4955917386729ad3cd56b306575758b66c2f400a4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6cffdcf77901b035563cad882d89326b

SHA1
26b0d5f1c2910f9ac518aab5d52638fb13e2beb2

SHA256
e459feb5cce0195e6337ad3aca90790cde0a71616fb75abd25eda0a352f5917a

SHA512
00398312bf2e47d4cc5ecffad7bf589f63aedfe6ed53ae8ea6b0f3c4687d03e2cc4f269492e186c9d59fbc76fbf913aab93aca4531777303350afe4edba48a30

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
763b2a071316a11b54c00b5e4d4116b4

SHA1
e82502776a3ccc18316788cb2723db9a5ddd3ed3

SHA256
e56a7d5ac7870bbdd6f3d2845d30bb04ebea45c2ff1ef0e799254820e8e34995

SHA512
cb4d54766d11d172f7b0e3aee6642cef59e6243f07444243ad2e2b2831410104246d05c27da85fd36597134e8eaf2977213fa46ae47990cf58798454968701e9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bb65a99fa29f03aa0e87495e182c70a5

SHA1
9bff5740e042e246db9bff997d054cb88d1a7872

SHA256
717266c7928af70099516696f070ae1939de0b4e925c5885e2508a172ad70b74

SHA512
7f6d29c28f7427f133556ee45ef186c4ed901b39749d0419e8c2fc3165b16150491cb1e67e77ec3a5d258079149e0ff0722e36935a45d8348fe9e510d39418ac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
72648c80973782603c498de0a864fe9a

SHA1
973f90e1e4c2ede71185a996d833aa73f93d1c76

SHA256
b8df80b93b9e12adad5c4a7c22e94a83920cca02b43206f7825cf07d00c85e14

SHA512
dc9fa57aead61d8d28982945a2b8baafc29af074e0fe2ec842d479340dd9b255faa98ec38e43d200e158c4c04eaa365c37d1ecfefdf617cbb460488de1aa01b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
112ed9a6f64a4b0dd6f4de7fd43506a9

SHA1
d9214a3fa41b7c4d6b3c27d9b0f28df1144a31ad

SHA256
ea0a5d9a3340b39b46078c3470d8e1dba83164649fd7f824e9afa54beba4b2be

SHA512
e472587ea7efc9fe1e5ac10ae48d421f6e78f21d1f8cc1e975bb94167b78460d0cb41b5591ac58f793cde52e6830e6ae4c9ee1aa90d423b040f7cbc3a7a44290

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
69471ff97a7d750cd9cf53b5ba4890ec

SHA1
1d7556322b4c31c684f8d3a49a86a86583c18bc6

SHA256
201d9544230b85bbd7a64d9eb5177759a68a3ecb3cf8fb6c6959367635c00304

SHA512
ee308fb2f207ceb0e52b9f1685b9b2b44176b3045e3870217d7ed0e01b4808fbb33af7d754432f9178ac5c36cde886fc617d47ec5c07a5a77acd4a6c96d74d81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0a4f36df36a37a6402f6f9aed5447e62

SHA1
2b815eaa52ceb45a05d82459d8662357a3856b06

SHA256
59f801bcd2d7ec14ce8e43fc89b0fe4f129cba295d8f82ba7ab392f0e3a84b95

SHA512
dd2ac9dbcdd5b7e88634a24e8a71ec982c153c0149d71cf2f245297f117e4386fd00095074953175978c9644fb9c537709ccd663c0fb11157cf0cde0f41ec2d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fd3095711d502f29494ddace6c434fc5

SHA1
24048e3bc19fed25ef9fd33425dc97c3ffcbe07c

SHA256
fae43b1a15dff94d7068c57de3071124d338c8f745496c06df3454473e4f21ae

SHA512
b90f23642159a74a1875c86509d1f02ac9650533dc4e166e5bd8cd478ac2947724da59219dc73de1436392e774a620541f6e6e0b27544207210328863ea732b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bbcfdf93c5e0eac036eb004e1a9c6774

SHA1
c9c5e0504365eb9d137c99e64d1639ae99179b18

SHA256
f5a026f5da7e4fe8abc3b1e17336800f6351d762d03385a86a21881c1adbfca8

SHA512
d7eaf3ac9e0e9e1fb9c9e8b9fa905c87000e565bd31d2b1f4ebdac882022eae81f9f500b023ca85863f22846b1d24175234d8d9eb740508f7bab3d2104fc721f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7e9c0808d9c0778987eba0175c26df4b

SHA1
25ab8f5c648efb04b5d464af1bd8c8b5af371e14

SHA256
daf0d3efcddfb1c7bab8067eb5848712fc4448a8b848000aa38b5d61a79b5deb

SHA512
c41e642c82100bb6c5d79295c9f27e52b7fc2757eb7669af38e7a44281a3576efb6bb925c24083b21a9212ec4d1482266cd6476140307a0dbaf2e5bdaf45bd4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bd515c919f1974beb5c88ed3fba6add6

SHA1
9e516d84afee84d4d79dee88d34c8bf088ac94a3

SHA256
9785967b19aaa06f3d818791e9001190f0435ec8b3b8dad28ead144f8c4f59a4

SHA512
e0124c2372b8f54c1aa41cd7171d6ec5106bfa4daae2c46e2dd9b230c8f88bff1efa2e320841e0d837d1d3417e3885d1a8dd74ff569f7dda138ef08677290dee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d85bc0364acf61f85c0cbe8396217da9

SHA1
e6c9c768286079a1c0707c20f558b5bd53ce4fa4

SHA256
338512aad8f5b6a870bb8b5f015611ce635d7e531d0a8f1d065eacc851bcdfa0

SHA512
706c5072696f75d9efa9b05bf1b4a6ac9c2c0c4fde1f8f0739dc51b569522c639742ea3afcda0a1515ae0f756b51dcbfd7720ea1b3f12e0664fe001c25652dd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5b32f059b8d826326635035df50bb302

SHA1
bd1bef8dbdfd3ba04f0938c5c2e42ad46c412ec3

SHA256
54526e7fc82d753d4a9250d6bef25839b6878c655662d8ac0ba079099957b483

SHA512
b1e269932d8882ecb2be4fb31d683d52c63c034433ff9fbb93b05e8c4dd8ba2f1637a0b6fc29fa5451a77bde5cbb013300145dd9733f7ab6917f3039748b3edb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
205a95a2c61ef8d98e660050fb6788a7

SHA1
7e57f868dc659253893c8a1007d3c34061166009

SHA256
297e7c05c7639ead61bafcec06a3200c18dc5d29d346fd4abfd8a01480a7eb27

SHA512
286df20b6d97b02f053e30272a1329f94fe1225de5e7f24b096a5827941951b122e570a5e365091d062933c5d81b21bd3a976e62d5d2add3bd27852fb852494e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
55c7d72d5232ea89cc0165a51e006a0f

SHA1
5fedc5419213d30621a08db2dde2b871396c9ea2

SHA256
1e61306b21df114f0a77d3e433cba0c1c6eb4689de854033ac7b9c6e8e41d111

SHA512
7ff3593af5e02997ce97c9b66327fa2fff7d7aa84f28fab07c844b7d019b76dadcc777a32dc51b9e6cb97fbbe17cd866dba1ff27ba5fffcd2a3a0b12e8e45500

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
852181d6e142b8ee952774bd60a71104

SHA1
e11411a8844a1beacc127c34686be0a32a27f3d9

SHA256
4a950af0a6923e0086f41c7f6f89afce0bd701e8fb316f4c3813b9627dc35e65

SHA512
40a31384254a1e04181a449a221184d4bc5ce6891ee06100a2256d3e2a675b03a5ef0ad17f6a0e9027af56515eba068978f5265f99257a3e56cd0047974e64c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d82df38a8ffdfae5bb1aa8350ee6752a

SHA1
402660a9db742539aa608bd09f5de5eadf179c4f

SHA256
4cbc01830d255dc996d729bbb5a0af6524e27b80938d383d721dce5878f2a685

SHA512
6611e894b4e33bc574bad33a709d7065237089694fa274191f02b4767ae27cd2b047d30445ca098792c6df949a997f60c4fe6c9cdfb515ef420dff7676e9c85d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e19ede83da6fc4e8c46342fcd2c9ff06

SHA1
ba4a7722e1d24d721a2c6b4daafb9b420458e510

SHA256
8d0cc8cb0c31038dac1cfa7eed3d55f0feeb4c5ad0bc4a1e898a6c277ba65c61

SHA512
edd8818e9d5e0edf6f53ca02d29e4197ea7348b2c70e1a179c4bd62e84c1a255981304d113b50d238959fb6189268bf3ba82948557bd476fa70a8005fb1d1646

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e785e68e83519806a99b5472e6f882b3

SHA1
c92c24d9a059c68cdd25cfa800d5f73dfd84c532

SHA256
e5a5d381f8f749c2601ebec1387eb0785f8cdf3187ad7acc6a39f9883bf3e122

SHA512
f0edda4b8bd3e878ee118b72b9136fdc724567515cf8f695dbdb51e5ccee8651048b3a877a5072bc8ccf6499f0ef6affcf511de5b481e21c68984c97ceb11d65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
fbeffa63d58e0228e3ba6c02acd94c67

SHA1
b783ae1ebc6bc3ff0aa55ce81d667268e5f2bc03

SHA256
8a0de14497bc1052bff6188c93b5a9d3bf32bc75078d2ccf91413bab5ef1a512

SHA512
e637b1f18681346591b0a8eaddfb40bd058ec4d5db8078750c8062ff5293e2d6b341850f218fe62ca583ebcfcae50f2d607ce36c8616b25725e88ab9ff9ad1ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
dc92ec24b2d0c91784bf52a59981d3b3

SHA1
169bc0d13a8de274e28f9093da151c8ecd065ce6

SHA256
a8d255d1290bce6b7f5ee570c48f48aed975d05d2f33e7e54f73897cb3fdd33e

SHA512
8d8ba7083d1fc2a5e236a23c79b949044a2c0bbab874b6f2c66dcf5bfd5f8d99cf88f3eb5bbb879ad919c7d5279831d43834a54f35762dab6d2b28908c0cc96f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
18665dbd519c3d7072db4ea3bd5119f7

SHA1
03bdc7baf7657b8edafadb179a69b63afc56fd66

SHA256
afda39f57dc1a0636715bb96a06903c0371d411ad78c15814c628b642ee3a2cf

SHA512
39a188b3272cf1b16b0d45bc90b1d2451fd21461ecc20c1eac7851dc0df6a064e282d8703c9a3381086df4239d15c961b8a6bf33f60456be7d9de7d71d66ed80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6a1f5996c717e996a63718426f2952bb

SHA1
d3992892b4928ed54ddcfc8790de5179a8e1317d

SHA256
1eae8282258692ed63604df1e98c7ac86069007caf15b2432d4891708a9f56e3

SHA512
288698c8115b19c8aea41b1f2dd62f09fdf5a9fa4dd5700e28796b7c1212ef28ca12ad2f72b38f5e57ff6aa5f42a6738f8c1fcbca26a451544f1037bba274a93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
73658469e5b147487fc1b36312994be4

SHA1
19515c9be7ee674329ada466525102951f0ff445

SHA256
d78248bb4bef883b38385b056496115327fbffef26dc8b807161c51000ffcf6e

SHA512
e4eb485a56e709688017262e5b5e39d00da8c25d31a47497889ba7a08c3b7f62ba0d1bbefe4cd8e853ca071d616e243f6c3276fb2ea5a4c1349bc6b2a0561d56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c9f71bddf640f94a36b7574194fbddc8

SHA1
e32abaea84c29d3b48a291b28eb011bf127a199a

SHA256
2c6f68a67061c4f546c62fe862f43d6e9b31a8d64544fccba708ede12e2d2569

SHA512
53b0d3f303b2bd3d497d1cea5cfb1eb37a9422e34e8add4bb8787be8bf8b99a66706baafab1a7ab1262e844a831f4ca3c594de89c4e669ffd2fca8bfd359b82a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d17e0bd4fcde06c2726b0ef8b915b2f1

SHA1
85b40635a8a071173b435b82c2aff58785d88073

SHA256
3aa84f9ad29fd67f7861605528212660c5cda399cf1e329f3ed86ecd667d15a8

SHA512
7b3a99cf14edf795ba6156079da031c728ae896628caae6c962680a56c8dcb31da30fdae927fd778ce29ca53f924df2d3458d53f88d663b485cddf1dd0d1fdc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0c62536474839e3ea78a6b10f86e6adf

SHA1
7c7ce7873b2ed192aa768bce264ed4cd3fb482e5

SHA256
4971353ba66d063ffb2389718c9118b355bfc7fc78a519274ed11ba1bd2ad37f

SHA512
f4558553cb25a361bec763365a10a3eb4dd3b414efbca7ecc1328aed2f5e5157cb3737a6d31b01762e5a664dd8ea0b51bac699d0eebe4880b57cfacb18b11d18

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8f53763681c965ba8d505da6d674e58e

SHA1
380d50aa03b1ea19e8d580d5711f5fe360f0fbd3

SHA256
e20f5af0c3013fea1eac34f72a39a916f8c97b09cfd855f01caa3811915e39f1

SHA512
72acd948306e316882c33590030954bc26f715857b5c147611cd93d8e4e02391080e7fff2f3d2f3454bbcfb78cde897c84887afaa22bca826ff03b820e8ec1d6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6957026c24ce861343c235276143a389

SHA1
fbe8e61759ac5e5d2ec658214be031864b91d5aa

SHA256
d2781090a90fe50fc4b90d2603aaa38b67d0077d457460541a636298fbb72edb

SHA512
e46f690a832e1c81632fe08948bb593debd01e2f0728173b828d9fc28707c3eafe67e559f436ee9f9add99e61590eb2ad860176138268a4a29db7f2dd374e603

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
143bd853f8ddb378d76f7f02c481c7b3

SHA1
f99d48ecff7041acde25d4abf6738df8cb128d12

SHA256
7a58783dd58f76fefe4e010bbb7e8ac7235729daeca84045cfbd244a8c148e0f

SHA512
1ba548419acc7aae3984d4e633264f9f598e58840f7fb2ab35c5f545ade17d53886255c5d8739a9193188b0905c2f10fa1aca96d77c521f75bc7b3c51950fbe3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2ba1e400f2430523e9791b0109a6adee

SHA1
f93dbad5557f538efaec311fd7c2f18fec84b9aa

SHA256
6ec83bd13cb3a5665dd1d6986f772776df869c8719223ae76fc768673acbf407

SHA512
171b3cc5fe84aac4a3a197903e80e0c538aa37af6d122874338f18c7d40a0e43d58de3c00993fa5cee347cc3bb76172b08604cb264529b1a6b1047852226361e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
44f268ace1803261379aca47923e76d1

SHA1
cf6d9eac9ee7f7897d1072769e59a1034a4a2fc9

SHA256
6ddae904c608c56a913f255b6eae5fb73114cc965a62e64b6f6add4757acdb83

SHA512
be20d1bb72abcd4aa0a0b0260889c56183488546727036300ece8b8f87f55e17fadd130d5b3dcbe7de7a29ffda8cab19b648b4b010f506724ae5c1c933103aaa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dc36f53ad1dda94539d89750c22fb09c

SHA1
6a0acbc8ecb68424032547672aa4566e099c3245

SHA256
92c13637be2aaab26716047bf59ed360d9c9bfe795cce863c5a8404b2d07a431

SHA512
569a35e52950c7e4e4150c8b09d2a576f106854621bd40579856f763cd9f3711c2c7cecbff231626892d5eadaa646f38d5fdc7ad4ed174fad3cd888b7d840613

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2dc85900a6d2910c16bf4a5f007e6365

SHA1
6895b68ea7e2ada13f2031411b4a32aa4094c74c

SHA256
d0d6a6df98091c3c279b77630b26c4b9c8c32706eb6d5fd32704cd9fc1fd0eb3

SHA512
3b6d161a90046ccf141d05cbb382eb3f4782dfaeedddbe404bb5b1a930d56dac59a5d6d35c688cc6e8d6b6061b6406729a6946e5b8d38a4479d269ebe8bccac1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b591c3562d36c838b6586360eb0bdd3e

SHA1
1ed766be7981c3a842278b0511a653ff3346f522

SHA256
c767e3e2fe9600a6b6eaf967fe61feaeac070622c7898c36e9b5e012f8171d24

SHA512
8b15e3ae4d43ef10d6740831404c32a2adac307694e1fb6c13c4103d040bb992b43b2ee375719232ea2c5533257704b08d6fdc38586f6eb1144d76d1e3c57b8d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5ec35765f1d06ca49f9d92dce67ea5af

SHA1
2bfc73bc42fe595e026628829cce4a68395f4387

SHA256
621c2320cd22eaf678ee7d8c3cdd3cf0d84693e7e417908b23c1238617b32860

SHA512
eb6e38863e077a6a9ce1ec92666c164d4c429f915a6e4eaf192d7233dd7165f2c043efd57920ab52c31cbd09d4cf7dc9d7ac99f66ade61af516f1cd771cc925b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c5ba327e1ee0e3d71f1b2145abdbc543

SHA1
b44c49f3f9d04d4c6362b3ba825ae1330ed71241

SHA256
77fc9fa0a11127ebe5449701b26c3978629c537359fff13dcdeff1637138ac99

SHA512
e8dbcf330ae65530fb43cdca410f83fd58db2878a2bc4dd09e875af85d9ac901190f5b0f4d4b2c6adcb3f8cfc8644067bce1c3511703ddc71b8257765e5cff2d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32e42d33a1a1c05ef770c58ddaaf1aa8

SHA1
2940d69969bb46766ac0e9d5afc47a47d2c9612e

SHA256
bf48e55dfec78c2a0407f89f2e4cb814f3802b8fe15ff05f4c667a69425c2b72

SHA512
46e70f97a1711f6c3878e55513dc3cf3383a0752991e5b2a2509471c3b8273c15114b700d0ab665c733b32913d2301299a7143e1ecf046304fcde096e02715e8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
052ad4ab68a9e62388d6e8152e3594b4

SHA1
60e155f6457a8878c7fda58dfb9b942f7a638a27

SHA256
d2d3abdcf5c4c566456c1ac3561f9e759546538e5b7c22f1e42b718e2f2e7e4c

SHA512
d0c4d80dbcabc4dbfbb0b6060286ba8b34f2640a48ffac8f9aded1ad709fd021ab42d5bc23da882c27c569c9fad22fa7d322d66fbe0ad438472ad1d37fb1b4cf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
283a2659e69e0b4d4c10180199de1c96

SHA1
0c80952fc971ec3dd37bf208eea7cc937a1a19a0

SHA256
14d68641b09905da470a872ee51d89aaf092527200f033d119677a4c0f7875ae

SHA512
dd7c61c1a5b859692a4fb2222e4bff50946d533ef4bd8f03270bdf683536b65aebf9a65444c0fce09c822da35121fb8fb167fcfddd77d1003bfc729eb2954ef8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f9f92324285c523e0114804ac82b16cb

SHA1
b5111a90e8d51e504e5f239dd0ef4ef19a155acd

SHA256
6382432ddc398f467cf2b4fb88d05b865e51fb452cae7547d4859d3211aa4bed

SHA512
281979ef74de4a0843f79369d9b99f76de23684670857c940ed269bcae3de6821aee78305c823a5a24f14257a0d2e0ac07859e6e05fae471ab72db5a10e36094

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
413e0c1b05e7a5c815d98c95f65c3977

SHA1
1bb9b1c71226c161d8d8a5b25ad78968d66caa55

SHA256
b37f6d6e2cd39bce68bd6808a49616403791dfe5183bc8a83f587d63df87b5b5

SHA512
88dc9a5b3ddb7931fd2a116bccc71f9d3bf90b4e81bc064552ae649c65168c5270b40568eea91bdcd144dacc5ac9cb3eaf3dcbe410376eba82700d2745c95cee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5731612ae6d772608055d1150c47ce37

SHA1
8fce0d8d40c674a7e03a00f27e39be3d91593469

SHA256
5491a7071aba1422d2fa3cd0e95bde836da4de6074c03cce3098c6c95920c39f

SHA512
5ebf7f4930e699616675f4a5a5631de28310427fe04037c096c64c0483155db7619796046aac68a3c073880632860e3a0d0d8f2fc84ed34ea2e475d2bd71c5dc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
abddf576331b553734b3dd7d5cd66e4b

SHA1
e75d8f30a017bb26b680540cd0e7cda1657835ed

SHA256
56cc09872b0a5ed0f4ee6789291854b8ae991d25e02fb045c6c227f88cd9a560

SHA512
519e35360eb40aa68a1823d0e0ebe53a659fc1cb78d2a8d65a9a0af44785b89e8876a4f518d37e91168fb89db0ea76221624e55fc9a465dc33ff4b0e5c5fed17

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d31c23f189f14b38eb29ec71939e42a1

SHA1
2cd07f8ebdd911c7b489217637456a996d52d90b

SHA256
d8f58f9cabcda43793f85b8395c73c3ef07be5f8466ac1a4708808bf6eb0f93a

SHA512
21eb644c77966561f6242f46b5ce9a656c6e4eb713d6c4aa004096819e1db67472f8e9be0306674883ff139595ae578e5da2795ad67399ba3dd6bb765b0dd3e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1daf7e866a744738097c4b571bd46eca

SHA1
877ffbee4b1331d2fe864991f9f0b5d356bcf6fb

SHA256
6c2f969eb9b1577fa8b7461e57c1df8e1f37746573d32f2a7c26c8e028735472

SHA512
90c1c39e7360d5f90d00a6b2d4695121095f4f5b695ee1682544941628b4d6197201da06d7869b74f23a76227564277368219eee25c146dd5578ea2beebabe7c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e0fc76fbbc3b6f6c20f7b8b320565d79

SHA1
bbc69ae93d8d28f77cef22a7624d06be81d72142

SHA256
a3caa6ec2dc7baaa0ff900aa6af746c9f63761ba04b571756f5e97c5c15df6d5

SHA512
097ebb3b4bc8809f3b0c0d87f2c70424a8f586ebe3bab87769071f6f855fd14d1c4b9a5dddcd0e17d5a6540c5c32023adaa8cd57b59fbbbeb6a7a301599ab31b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bae0cb709b8221fd5d97eee2941fb3c5

SHA1
84b720cfe515a047ab64b89c4afe0eb215d21f9e

SHA256
b81eacbe5dc043bfa70c32b42487fb5ef010e3afa3438367196cbc575ce317c2

SHA512
f314875be01b3f0f403ede454079d08e65b140b73af291beface34bf85b51e6964bda7060a4cfbd24e834fd764538ac91c171592f67af33225e61cfde2cc1642

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6456064ee58093045bf0d2da30932ca9

SHA1
01d5f24965e689ddb958ad62c6531fbc3e903eaf

SHA256
8548f8368f26bc432a6db342e91c31af48a0a36c3084d808bf24a7315af1b975

SHA512
1bab79056cc0d9a37d69e2b2401c2177cf267fc9929770132621ced9502b1a4686b4b3b066c5651bdee0582cbed28335761550a8bfcfa41351196662ebe68f59

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
430aaa184cddbf6a9b728f25d5ce2824

SHA1
77470acfa65c0e57d3afac8bfa5086d25f23e461

SHA256
fbb83d94a81efb508aeb9d761ae469a62cc697c622f1b0531a98827bb772dde1

SHA512
89f5096190d29c308e49bfd3b135db2bbefa156584796146457b39a84418d59db3dc9103c87429ac69c979d70f4b3a5668f9c7e0c416c366b3f707c8c7fe77e3

Download Submit
memory/540-469-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/540-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/744-565-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/744-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1140-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1140-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1316-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1316-562-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1764-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1764-136-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1764-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1764-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1828-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1828-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1828-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1828-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2204-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3128-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3128-558-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3276-58-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3276-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3276-52-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3276-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3288-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3288-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3288-555-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3436-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3436-86-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3436-75-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3436-81-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3436-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3648-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3648-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3808-72-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3808-9-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/3808-0-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/3808-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3808-477-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3808-475-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/3816-557-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3816-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4340-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4340-556-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4392-564-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4392-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4536-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4536-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4640-563-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4640-253-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4884-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4884-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4896-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4896-559-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4924-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4924-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4924-73-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4924-186-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/5008-38-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5008-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5008-44-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5008-49-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5008-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5096-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download