8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
Size

1.6MB
MD5

afb97e61c52d03721cd503e8c35e26dd
SHA1

6625d047bca2668fc164e9df85961b0029d84f5c
SHA256

8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d
SHA512

0c56fe6325c12ae7e416790dbc07118f5671982ded09e617c530b9deecf3013ec88b5d8797e2384cbabc8136c435ce97321006e4cfd3b61f2d60011c7e0fb89d
SSDEEP

24576:KEpQQJvKPzvYZHTHy73xVirnlBUKZ408vTZrX+lgdW:LKPzvoS73iLlBUKubZrX+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3024	alg.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2032	fxssvc.exe
1564	elevation_service.exe
4688	elevation_service.exe
2748	maintenanceservice.exe
1688	msdtc.exe
4908	OSE.EXE
940	PerceptionSimulationService.exe
764	perfhost.exe
1324	locator.exe
4056	SensorDataService.exe
4536	snmptrap.exe
2716	spectrum.exe
2276	ssh-agent.exe
1100	TieringEngineService.exe
1260	AgentService.exe
2852	vds.exe
3384	vssvc.exe
4476	wbengine.exe
1700	WmiApSrv.exe
4444	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e17c4732253fadf5.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\System32\vds.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c53be29ac9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c79be9ac9c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ded27a9bc9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dd9df9ac9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078f7a09bc9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9a14c9cc9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f25e469bc9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8347d9bc9c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d756009cc9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4776	8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
Token: SeAuditPrivilege	2032	fxssvc.exe
Token: SeRestorePrivilege	1100	TieringEngineService.exe
Token: SeManageVolumePrivilege	1100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1260	AgentService.exe
Token: SeBackupPrivilege	3384	vssvc.exe
Token: SeRestorePrivilege	3384	vssvc.exe
Token: SeAuditPrivilege	3384	vssvc.exe
Token: SeBackupPrivilege	4476	wbengine.exe
Token: SeRestorePrivilege	4476	wbengine.exe
Token: SeSecurityPrivilege	4476	wbengine.exe
Token: 33	4444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeDebugPrivilege	3024	alg.exe
Token: SeDebugPrivilege	3024	alg.exe
Token: SeDebugPrivilege	3024	alg.exe
Token: SeDebugPrivilege	2088	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4752	4444	SearchIndexer.exe	112
PID 4444 wrote to memory of 4752	4444	SearchIndexer.exe	112
PID 4444 wrote to memory of 3840	4444	SearchIndexer.exe	113
PID 4444 wrote to memory of 3840	4444	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe
"C:\Users\Admin\AppData\Local\Temp\8b19858847e13305c37e933fddf5d212bbd7400202d2f2df012ae4f36b6abb2d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4752
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8c63978942d86934493f720b2e7684c5

SHA1
b830649996dcf02d37b9ea3b7d2ca3136cfa3fae

SHA256
008c208c390565a5f82afeed6e284436cdf219c919b61634d440612623280bef

SHA512
801d9bb9c8f98e552ee48a1b7fea62a584d844d57eeddadd51d1d0d029d4b5444acb605c1ecf593e65824b85b398688c3c4eb6f3fa3c19ed357a0695e06721ef

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cb36e482106ad69638e93032aceab723

SHA1
0f48a36e9e86e079a92f2e5020ef4d44c79194f2

SHA256
7ae899b489685599e61124ffb70fc4fbe4e5a32431bdd0ac6c6dc2d515be42bb

SHA512
967a9202577e79863282587f1c792a7e7d16dca4ed8b1494897e3d97070857e31bf09b897a51c0e8b12b23c7f4fb24dcd0987c4060238d81da3d55306800dd00

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2ed6c6db3de0baa33e1238f4258c1e0b

SHA1
f93fa9586782cbb08f904b53bd6e3f3edbdcd7a7

SHA256
d801d0b5a3eef8259a21760cd8219cc579be7c080048999235bab49b320569a2

SHA512
07fe76c562575cdb9ff1aec56d128cc187deefb9f7ce9600617404b3e4db47d218320d00f5cf9a453d214566f8c2340a23d0b05d39b334e9c70202c0d6739d42

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0944cec358d94775115c333fca3de8a7

SHA1
18a4dde901a6aa99f71082d406208a41e909353e

SHA256
ad4c84c4d5e84ec0946804c26fb9077032aedbef25fe0852dd5a7d353969c91a

SHA512
6b04a06a13e0dfce73f30283cead5518e6dab59da10be5928271b4f46ad94eabab4e4ae425bd9e5bb1b63df1cc409e2b29c7f34bfa10041aeaae01694420ebad

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7ccae13ce6f354b650fad8b63c4f15dd

SHA1
8147639429a2e274b314ee793b30de66e71107f0

SHA256
eacc81e5ab8e436e59032bc476a0316fe175deb83edd09e25cc08ae2e38a6ed9

SHA512
378558b804632bf287ab859e268d28c14b1e9fef81bb3160c948aaae342656362e1226e05082bc89125f1aa7ac9b6064d9f7bc631325529ee9d4f607a6bc5049

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4ab75f50c31a8abbeb3cb12bbdc73e2f

SHA1
6f42625d51c3ae27c7b7840be674c713eb02ecd2

SHA256
813fc9dff6f8c0d940ae27bd4603e4da7d72496aafe0ac531e8aeec4ba500c1e

SHA512
3eb5d44091a7d09b5cd3554767180b08022b8958043c374a2199eb3d1d1f0da69a02c47c6a5cf7008b8fc2dca1bd6687115b2f93ddcb732934de891742ab623b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
30ffc58fa61271fffacd946a9e452295

SHA1
f34a5d0041553d27e4c50f499acf7682a32c98b7

SHA256
574c56076964fe9cbcea657b8872805298e2ef9d0db21c28243ffd3f2a28e9be

SHA512
d1b17dbecf3efdaf36f8f7978ac9f48e2b8f5a5374b73da02bb3962a909ede38f955faa8e87ebb268d58e1ca39fe74f18cfd34317312fef01ca23fa6dfb3d8e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8c89a6146c4d672da885fdb5d3a88848

SHA1
879098ec14efb47ef424e4c846997905c31109ba

SHA256
45bc1db3d8eca250f4f37fab68501fa40d4f3c300bfd76fd669ee55979243596

SHA512
1bba679450a4504bd9b4c434eac600056a0e20f6307b84256cd4d411614c37a0aa2bcf09403be4bb631d5176090815c2c3e6efe9f13cec1ed3bc23550f21f9f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
e9e46798a02bfb561a244569d83a5db6

SHA1
b352c2079fb8713a65ed26a63ec06679cb63cbbf

SHA256
e498e55086e037ad64ab02de904347cd2bb7a93b260a68c36ad9823d9cb27971

SHA512
a408a4cd8fedfc607f95c286238fd129cd417268a8f242c51faf0a62330cb95714daca362a427dfe8f9625e34511fdf1b3bd0d0963af51f76be568540f742e8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
58d3f5f7a838afce0ba4e45450733408

SHA1
927f7c2602aa874831a1393254e65515c1220628

SHA256
2cbdedf32078c64af3a0c8e4531eadbc4501d26f7642f559ba5190cf928413cc

SHA512
ae51706d37433dc70cf4b94ecdf3f8508457e0401d916c3548b83a2e7a713bc9fa1ea43ef77027d6512433d42826228e6fc4e2c67f8f1c285adcbf352b5484ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
732547966c64bf268f42d45671a81169

SHA1
75a16b44b6f697e466892353ad6faba61b14af33

SHA256
971df3568197ee0d294fc96e687029db837488884e20976819abef44a19c605a

SHA512
eaab30e3b38508a7ebfaf421219d9d293321354cc41786552cf0e22d4630c6a04e488368d2f6ee191ebb68fcf32706ef52993b05c87da6fdd1e52f34d58ba477

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c96dd86a34156a442d58e43f84f33862

SHA1
98e4931921c61ee6a1937396b46d0d64a8bc9704

SHA256
cdded9cf58adeadb22f0ed727d57ab0e6ed277a47a81d894058123df40b53709

SHA512
c61a88bc5e5f3f6a10fb3c7408474d760df58fc729545e1a593bf1ca4490f82c213231de2012708a2ca65f668b5cf3c725ad000135183e98f0ed6a8a7d54b807

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c12133d7b5992bea940e04385ae8b098

SHA1
4946e67c41f1edf7c231eb4420e56ff71f1db2be

SHA256
bfa4cc86abb9477d3e914b28c6a856060759be1c13a370db1cb90e4c56d1cbfc

SHA512
a759404d17da611e2cb4831b288956ad68715690ae5560c8fa9e8b532d71feb57fb19e73f7f5f186f07f75df54edb4147e64e3dc2edd25930939c5e83f7fb11c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
1a68eb9ac447da674c207301486f70e9

SHA1
40035f3ec6ac4f774dd93925ec468cfd833b8a72

SHA256
bf54e5a8e9e95dd09bf5a20bf74360ca62eadfdac4592210a5fc68a7508d5afd

SHA512
105308c7457f6e2755215303a1b773babafa926bbc9a8980e377bd3cc6c241fa0933f510b072c0f0da73928faeaff321f51a7a95b7c99659ea1f881f6f928d82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c420ae120cd9e0b4e2152a8e0f5abf52

SHA1
2a6c8c7bc0485126bfb7b82e8f13798283ffb4b8

SHA256
7e7b343667796f75e667a4ee19568551d73dd7f57c7f012c651e3492d1a8c8d0

SHA512
1e86bc0ec1772b28c014c1a0c917fe6b573e64d77eb7ee6a147c86b54c6526942e5c2d478a2e847b3525dfb796bf670addfbc44e75fcc986ed39a2791e0f258d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6735301c5c35e042bcc79da8b18f521a

SHA1
04053e857e4c38a700cc0eed29833a7fe0f2f499

SHA256
17ebb368ebcb6aebb939736fd19463cfb833209e1abff0ea3011378a81c87b1a

SHA512
0d111824c066c6bd20cceeae7f08848f134db1e8b4cf2e11d41951e95ce2070a31b2fa0456aa982d275b6a4150f7216af52d2ba06ccf6b98e5551d02f05442e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3a9af39c8bc5da9f56ba419e8ee2240a

SHA1
e4b9b75b086e59112a84bfc96466e6e5715394e5

SHA256
5791e491dad5415d3dcccfd82e1c3b64ea76f5b5882ed5d408038844046008df

SHA512
f479eb0beb25a2d5f0d6ab4b784855f84438ee3ac072d63cf00bb24543be3ddcff6a90df7170d50b919d9fcedbd3e18538356dc085203e2e9036732ec32e4ed6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8aec3e24b03bf8bdfb83130e37120ec6

SHA1
bbc1f6119248b33e67728fa11698da01642a8d49

SHA256
c5f12226004599cd394e8183ef1d6e373b9f5d2df79731f3c453206f8c82dac7

SHA512
681e21ad8e24ccdfe94cf46a9d9bed7b31fa179c7f9fb03f040ebb60403dcf74ef30c3f5c8d693f40b43fcc684ce61f28959fc1733ca4e58dbc46fbdc3ae99be

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9c3c9cf6518e82e3e07d37e25c875f1b

SHA1
fb8740144b06e9236782c60e0508ef4e0aa92c24

SHA256
e59c5e3c965bc675c21e5fffc7ce219619a909423535eff3982f4854e65ba05e

SHA512
a879ae74c0d505df66506d05fb64a125721a224b7d7eda9a603293860f36cf4119b541ed5d568d46e61fde129752addce6485de068667b6a11987208bcb65944

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f2bb038513a1c693d40210592b75005d

SHA1
03931a09e7217488196c336810863ada5ea18e85

SHA256
c9f20d49695f723e78c449454e477f39e67840580c2181b62264bd3a37f15cef

SHA512
931ed39171d5465976e4ca47b6dfbe8440ffd4e2cdb40a2f97d9ac8377ca87f6e8e708f7dc4e6e1f0e67c9b1931cb6dcd50141eb077cb3ac65479572ae0ce8e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
31a671958850254154f33c53de261f44

SHA1
5d5694da37eeb6d0277a979c52cd71968ff16ce1

SHA256
c052f578b963e617f520510861126c62928664a5ab9ca45daa817d1db95b724d

SHA512
1259347f4cf99268c0a5979e8bc55d05f6dcc6fcc4dddda432e21da85658abb47acd8785e7da7d5b5a017244a33e2de5f8235790050e7d1e7fbcbe6015d565e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ee8c0f0934d68e610d6ff6dee40e1033

SHA1
79abd127cd66c88f8e98ea0452d94e1d0b103a66

SHA256
bf0823f327a091a676fe06871a740c23f4d4147dea6c6ccba3698bbddff6bca9

SHA512
9c10fd5d7b9938bf590d24f51e598d5dd0e23dd7faff9b8a48fabc57faf8d288a149aa502c4ee28fc83503d7f01779b6c6928d033a01ff6c1eb82351e7ced776

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
cfe4015be9836a7287a78736cbad09c3

SHA1
331eb96a54173798b783754c12774ed5a993e64e

SHA256
702dc4c3d0b7c812a51dde6caed807e8ea3d4c8c33415a190c34bbfa6bce1a63

SHA512
ef29e063448e2858c2b3cfa28462b9fd54a36953cc6e3b6e60c1a9bfc4d0f4c9e7587a7a4a66c72035791638184b9bce578505aa70cce67d6678a490653f071e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
8af5e0acb88c3dd5e4f229f7fa36c1dd

SHA1
5e0ebbe1954096c3a39abaf10005800fd8ef1f5e

SHA256
5357828e2af1f260fcd7962c0d491ff2f698a5128790991443d5140a08fc9b0c

SHA512
ed8f5c4140ecfef03c9a19b17718193b0a7bb62f9eb7cbf20b3db4a0c3096672050a247675b7accb31609317e6bad14aff434ac6b2a30265a1cb9aadfca27e5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fcd7a61f506735f6431065beced22b62

SHA1
d37eb9955e997b19f0ae299d134f4fe2e4f4b725

SHA256
503d3265ba2636ce94bbd24957b372e5ba4341ebb61938b22652070a2366dfee

SHA512
ee79ff214be4a7463412b1f3909b8e6b6b97ad5fc8fa898dc4ac38353c657879c9da2fb668dacaaecb334987596f7a81b18709c72ea0d9f79f0837908dc01448

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d762dd2ca334cec1379da01e0ed641a4

SHA1
45bbe1776e3dc2a338f1bd185459c7b8229ce48e

SHA256
6e25214fa3cce5b65cefddfd59388387ad395736abe2cc5f88636656360ca3ff

SHA512
97247317015c5f6d45d64de655831842d8b6ac67817f4d14f4fd36cd1508afe52fb1a03f40eda6616b01cce7aebe2a2b3a5222c7cccc4129e45fd740a81871b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ec7a7f3e68210b069cb5225b7d2c731e

SHA1
abd05bd79c10ead51c3a4ef7bd6b82a24b57b88c

SHA256
114ca53a70382c64318c98e908a300f858ab636a2903c4bc027933f89e10e30f

SHA512
f2f4c132a69fb61a8ca1d083a9b526d2c7cd93659eafdd20256b9d0d4c3038a2106455b0ae3272dd5a13467ec4ae5f90179edfa2dc7ab5cec655369960361304

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
dd86b922928f83ea3e0b2de3fd616af1

SHA1
55ec08a692826eadb2f75d88c5b92da770af7221

SHA256
0adfcf05909f73842a6cd0c5dd35cbfe26fcf7c3ff53028a75b3026cb08dd0b6

SHA512
ce63c04dea62e2958023abcdc521cbbbb381ea259aeacd195ec2c9f1512aeb8c5894795e9e3b2354e95cdd1eedf12d86ec8f4322bacca6c1dab2fd34aaa3ede4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
881332315498b6b4f58eceeeaf9ec585

SHA1
148c2890a26f4fcc7cd5b9797e2a0de969938ed4

SHA256
5725f33ff6f0ccd249bedbc9ff944e813a05b5adfe08db577bceb07feaa03b13

SHA512
826df10dc63209be719d21839dbc7baf368af8d30ca00a5775255b4374815d5a2d0d45df431d32a4c9ea013b94723dd9de0c5b7214f3124f8bdd692ee239b06f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ebd732b4f2889c9d4a26348c0542cbaa

SHA1
39c19b95dcbd7ee3d182df259d0965a9de85792a

SHA256
464c203909552f86cd1d6d206e0e76e0ce2ed92e65874a80a4345af8b75abf77

SHA512
cfb08f26d4a92636461f1a44248c9495e63effe36f579a0ba34c6e2bdf6d808b61d5092066612ebbf157e1c2e82a21133ac3a19873ff9f2a91ca1270747d7d6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
812e010df9c77078e6a0530a63217fbe

SHA1
76bbb78774e782abf62ff47db4814f09bd54772b

SHA256
2e4a3a5dd8225065215895052deeadbee4f88215ef7357ba2d66a96db49507b6

SHA512
86b42f769fbf356705413e33f719057f00733a3c6669d96b1afc06ec568d58e1f97b5ffe05d47bb7e4f5f6e022f2b63f6aa342164917df70a7d085c0fc60e4ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d3c7a28cf2014a447985a5a2ef4a97c9

SHA1
4aef0e94f7dd1e6237938046fc34faf5d2d2d8a3

SHA256
e5563e03c1348cb053633a01499cdb0d2aa75b138f8031f78eb43c47de7f577a

SHA512
04303afe6c176f9eee38a30a7137d4e23f71203aa91ad744af58f7a6ef89ebed3bf557dc56738b6db9e175655fa1da80d6d2c5bd1050a4d1b8060d2c3c5bdb55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
35b0d7543a36a1700b0a697dd04278dc

SHA1
133647b9d239227e4f40f400c9928ccce52930d9

SHA256
d41389b81c1b2161282efc9f45046e2bf67f761b0edd885d3e454e8a83028d2f

SHA512
9c89d0e5e17fe60fc14e9016bdeac4e15d1210b28527e49ca211844c1a4f8ceb0052a9692e6f44e96d0577a4a71fcb11524e80300a3bf52dff63878cb8439ace

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2dc8fd290c07e795a9fcddb09775acee

SHA1
4c9e25c0f28314266ef524143b214ce10333f9dd

SHA256
2805176fcc057c34485bfbba1438fd3175e362535716bc9ba665a338759f5ca3

SHA512
3ea624546004bc101ebada3bfa9d3fbeebad83ea7aec7df6e1380067a9f9f898b1ead4428f9c4f9bbc8a64fbcd146fca49a5da28ef628ad8a67285b38ed60dd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
bd2e65936beccd2e1685057e6a0c78cc

SHA1
f11259a6f71c5e65706065c92a5294d70b15bc54

SHA256
d1eabac20ab89f7d7cb940d764d5d04c1da3c8813eb33854f4bd82f017f21613

SHA512
50dc65ed8c1f23b700f1dd63f10c9f68642bd2a7a5ae438666fd24989e02209f40c2825c5eec698bc441e1ec7fe05bcf35b9872cb4d9e00372b831774fea487f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
da002f3338197193298192fe8619e243

SHA1
6cd9bfbf91e47657ebce51d76fa95a309f048e28

SHA256
3bfc2c39aff1e85a38ef333d33b6604076b40f0b5e4c0e0a03041fc3c2b19fd6

SHA512
58aa969652f1b8c719066da633d0a92b1786e05249ed936a8ec66e77986368b7ee88652545d8a89a8b0c13b93e1a2eb4eb4e1b9a6069088693646dd2282488f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
b93a82be0fc20d2d5c08b93392ad446e

SHA1
38a0adb4581a0f7f4c9d5679da44cc2e38858f51

SHA256
1a34e8a116d7cadba9ca7d28b1fc535d4787db48b1900120f97ad790582f2c30

SHA512
d0f6fdd2bed49924d50042e621008ce5c42f621f961d5a09b54b5e866e0cbf14fcbe1dd0beff37647ad6b64918ca98eeb0cfe6fde0c4a9058449b0c2b4eb99a1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7a015d7c0e048306a29d76f90e88ec35

SHA1
b8356d8d3ff5eb71735c8fdd11cdd047d62017fe

SHA256
7507e9be9dd4a87ec4320904033ccc3a3be4e145d1257c834a9fba922e9f5538

SHA512
8b167d9be1674d95a6a5e0a0e41122412338aee89a20d9223e38b2e3c30395f2b3bdb1a5971b5060bfdaf817850f2a161c03b7cb9d5817dabdd663b4df0b4ebd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
332dfdf5f38a2cd8170581f1b430f191

SHA1
c525b3c93ae9e103818367b99ca76ffeb83a1114

SHA256
676c5942576c6acaa3bc9b09b4707c5713a14f3d6bf4075e76870332c329ce21

SHA512
017c2248643393f27e4cb2273241b9f52ccb65640a6d0e6dda2877ac0a4f2a6f99248fc9c6e757e67932d15214dd23aaa31df5c24dfd7a07c41ae1c4eb7b52a6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
46c9c4a0f056b2fae1f0d9ce445b1a41

SHA1
15ad4a7fd1d624e5f00bb9ae69724bee30266a42

SHA256
bfed587b7c440bdf0a064e8e44466cad5784c890c62c2c642d6797f91a3c1fc0

SHA512
8c648c6954586f80d4c0dcba0dbdde6715c7900cc2dce5d1410d54f2462bb15fcfba95315e97ccfe93725208214b39fe5f2aa6b217377061e9706c3969539005

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
da680319220e07d420eeb3db5c2a3c39

SHA1
b74e7e66dc50225a41a7bd3de9dd715de8c938b6

SHA256
d05959badc6264daef79112e11075145dc2c17feb4c39a823fdb3b14ba15da0d

SHA512
bc7289527c2c3ac299cd614ca9751b15fffbde1d8b71bc1e8f7c805fdbc3e45ce9eee7fb4e6a2c80baf79382262e3cda1c46463230ede36c8ab2e31b2a3423b9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d5905497a1759c8d14912c11c99558f5

SHA1
b57a8384a0ace968bbc87adea7703028817830df

SHA256
242db82e9686dcf419707953b178a4cc688e20b6086fa83c2f415372e9d33d95

SHA512
b5fcb84dfc6c04f0a7a6800af579181e78a763df78ade897edfca0ee3b4a7ce81edeffd95a0a0af9ddec34370aaa3700e3f7ff9fb3f70257cd0bcb7502b2939a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1b717d162ccc749cc3e15864c5e70561

SHA1
5d783fb686b70907301707a35c7bae7abcdfe837

SHA256
2d83501726f612610e8aa9e9f764b6ab28aab75d4674c0d5d1c185d1211863c5

SHA512
03e3a5545a9dff81d2cb20e1238d42d93103767a060be32b4b85521af8c5aa79c8b03ce7f270e00551dbe1f73c0a049f442cec3f4395b78ec73ddbd9a4c449e3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bc8f209f42c0f05b515627015cf60b08

SHA1
aadec19c09a0c621a10e281804ca2d243e17708f

SHA256
b71964c600f036c46b94f58af2b6ac6e693310610eb6de5bce55e60219b595d8

SHA512
bd93532324fe34a6f164659ff918f205534491bd9b303772c5179fe305621d684ba3ecc15f0639602ee45af44cfd26ff8a3dc3d0f3ddc37fb529c568a4d10a8e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9cba5cadaac93c84e4ad6559b331e85e

SHA1
46d17631d5a62967821ecf3ff9c90d4f21719ed4

SHA256
cef99b38d28b05173f731d3b6372c3cc2026a2600fab7f57cdb2bdbf02511b30

SHA512
f2a7697e464655decc97173069918bbd99765b851781035d74a7c04a091277ffbd077b75c38a7963566812f051a7887bbf4f7aadcb05370e9ff2f9e1c709c5a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
99ef9ff785bfe270667d1a265b945f8b

SHA1
13c2a17d3cffced82d403b6e3eaca0d3c05ab692

SHA256
366a701e4f7663b48215327eead6ac7d6b041440c59dbfa2dd9c7b113822e75f

SHA512
e54f22a49d45b0ae3b022553d253ea2a1f0d370bcb695ab42cc5e1137d94d271c5226a38ef76d470ceef89780774bd4618456364f71cedf409bd7f4f1cd8cd14

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9a04359885b35164e26eed8c568bfa9e

SHA1
b72dc986119cc8f277ffcaa17661e805c57dbc87

SHA256
d8127873cb63128967ac82b8ad5f15d57f9581c96740157bb2afced0e2cddbfd

SHA512
06f07d0d42098dde90887bd344c7c9efd3c4d515d10faef1cf76fe9323bd4a4b769b4da4f5177f434c08358f768a34b1ac70d63fead22792cf93a00ff6d2533e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1d8f826b982bfe5dea1b6b4473ef6ba5

SHA1
e8a1ca870d2c60377c75b7239e440dd8050fff11

SHA256
1db6a3b976a510ed316450acc73983f8b5d44970361b3cfd9b13a63a23a7ea36

SHA512
f5167e61b30822dc8bdd5450f17e001e64d7ab0485f706c5e45815eef4445e9b2bcf67981acf13ff920b0979074725f112fb696a6e2bc38057393f23ff6ea981

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
35b638c0c46dacbb6c64a4ad0ec28300

SHA1
264b6574ddf0d06a2a33a346c3d5e77570f74cbc

SHA256
23112af1972ccc1883475284442ef2b9419414ebe73051b9b7357ee394660018

SHA512
73ac71144d548cd9f0f0b87ad40e9046333340a5042fd9b39091b101b400141458f7eba58593a21542ca7432329bef718d9e9ec27a8ce5c0e3bb8fb8fa933f47

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7d77a688f220a30867f5abf2c1725600

SHA1
b83c3f5b5dc94ef25a1de0768145bc9b3a6f0fb2

SHA256
7eee8a11e22d8c00d2fb83dbcec1a5e7e57974d3420aee46dc0969d90c89da50

SHA512
87a9787856b53747673ab516f460ab693dc1a24ea0b873370d656592c43a4b67479676e78037ab234ce4d297a03ce0b7810f0cba741d66f6b31f7d3dfd85ebae

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dedad32a1e3521cf1a0248ed2fc34241

SHA1
52bb0c7470f535761d4e744f641d9dca2c493659

SHA256
d5d1ca5ab839279fc619d240b907a55d3ca29ca1cae6bcd8ef9f956cfe7eda37

SHA512
dfdc4616c8261693d76a33a0cd125f96f72c6a895fd0ba79cc6cce9b42fb9fc06844bb3698c58e395f925f08a4559f52be63706cc1ea0bc89acf4abe3cf8b1be

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
367bcfee170791cad9b3240e134c8461

SHA1
d2c8d2eb1142be15983465233f691fbab3a2c606

SHA256
8dce98c12079b4f27a8a70fe82b29d6360dad99293c14a818930df84ef45cc0c

SHA512
e2b07dc75fa4d2a3fa4622698a628be808ae6e9b86ee8a2e892be679c1db09083fc91883a2254a9169414d88abcd0ce84add020d5c682f6ccf5b4e52e17b5d67

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9232e6ee911c5b31a2d473b883bb3d81

SHA1
532c13c9159881a19df5295f4cebfa1d1a4aef08

SHA256
d25f0ef50fd99d16afb47d3a9b0168b8282b57a0e55def4a77701c16608cbaae

SHA512
c5e65188f1102034fce34f7a30f90b20d66c2a38a3034967703ff15e595236e759a8f0fd5f6c78ab96d2bc92973c31f08bb8924653e5c8fcb3bdeb4370de0f7d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0b0931c1958d0044c5e4d7870af9f40d

SHA1
5087fb8bec687163a07b4b0bc009802c8f45b643

SHA256
dd49c94ae6aa7b8014e1bce505574de01fb04b3b5413d016c1f17620977a4632

SHA512
97204a2c268962a212a4fab44841b5d371fba4170fa29ef1542bde57692bb283ff2a8302ae080299b226e26eb821b637134993896788c93862eaaffd869a0e86

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
91de72985214f2134bd39eaeda08182f

SHA1
430a64da0e05f9174d42ddb10736714758d73e09

SHA256
2cfed060ae2f07cbc7a8dae986c6b781534fcd7a54482eee42726e9e8af5064b

SHA512
db5851e989e4803b2c125a095e00ef4576ae0f507bf183ca937e674727ffd8d91c1af86dcb26b00c200fba5773379230390ebb1a38fdbdd3ec6d6de9be4044a0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b48656a0641c92a111f495f1ca32efb6

SHA1
b6cbda3e99c1343bc0c807a4b9189bfd07bf440b

SHA256
8f46b85df8d5e7b4c77d00ded01243934bba4f16517b545dcfb3f80fb0e2c684

SHA512
b3c27b9859dc95cea79ec88faba613f382e7eb4e452fbadb1d75cef4584da8d7cbfc9ad72b8f26e8fa813f401a61afa9f78048b2a0bcfe6b60ba956d48191f6b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5168225bb29aede4918c57b15ff67f63

SHA1
61594803d6f6a3f98b6b57515823a2fc21a689ff

SHA256
6e83eefb0e68635e48d77363c4fa332956ab1fbf838f045f4781ed61b3383e83

SHA512
90821ece74f2166b2d7d36d1317b45438749ac218d962366400b5e9f7708166457b15e9e44634e18c02169920868d3660c75d1c046a5cca03eba8305aa456490

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3be298ab21326f88cabf1847a8da8c8b

SHA1
16adf230f3f1b19f063d5a7f13de5cbae4a923b9

SHA256
6ff176882b76489151f74de4742c110f72821bf7aa67da1cbd98d89171514f36

SHA512
828ac40a92926dda0f3f80977d0bf62986c9284e44f689bdedd7f2c3aee899049c64569cf619b3658340884ebe24560a42ab09cb84815c75439473cac8aa1d10

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4d620708a99fde0d8a90131332910d66

SHA1
f33d32c69020617b3a8d18c318e6784b2487a24e

SHA256
98888b2c63759ca7ebdd53deaa80ff3b9237cfa53f2159e806a53736e2998c3e

SHA512
2c013c9debb665a8547bbb4b9dc1fe9905620fe2bd5861439961788e5edc71acc6bf8d4a5ccaed7b3e4520c04c9f2466905ecc1298d7c395f7c5062635267b05

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a3740b714812e9e7c1c096af7d423711

SHA1
07168c07e9835964a4eea1b00e32b7d4195a35d4

SHA256
ecf5414f23583a46223d3a85f87754c667622ec1937291fbfebf2ca21b7ea370

SHA512
f2028da56f28d931a72ad2d6e61464e4a15bef57910bcc52760331c0de153953958f185cc9818f62311de5789f0534b62e43e2ff56fc713a6ef027c9c19f4a52

Download Submit
memory/764-149-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/940-148-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1100-196-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1100-615-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1260-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1324-150-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1564-49-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1564-55-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1564-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1564-263-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1688-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1688-97-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1688-84-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1700-617-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1700-269-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2032-58-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2032-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2032-39-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2032-45-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2032-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2088-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2088-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2088-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2276-185-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2276-614-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2716-611-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2716-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2748-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2748-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2748-93-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2748-264-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2852-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3024-12-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3024-22-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3024-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3024-109-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3384-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3384-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4056-585-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4056-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4444-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4444-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4476-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4536-610-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4536-162-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4688-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4688-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4688-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4688-262-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4776-8-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4776-0-0x0000000030000000-0x000000003023F000-memory.dmp

Filesize
2.2MB

Download
memory/4776-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4776-481-0x0000000030000000-0x000000003023F000-memory.dmp

Filesize
2.2MB

Download
memory/4776-94-0x0000000030000000-0x000000003023F000-memory.dmp

Filesize
2.2MB

Download
memory/4908-121-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download