e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
Size

1.8MB
MD5

1c64629597df337bfd6d8bbbf1796bbc
SHA1

c39c1c59485c16a09a9fd4ab6ed4ce2e22e0811c
SHA256

e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf
SHA512

d3a95852a5c2210acfe13b5c118e4629d9afdf1987585192311281aa6954cf8ca24137dd5a57b64660c5e772357330cd686af9f3fbeffa1ae04a635dbc0b3b1f
SSDEEP

49152:rM9QPdxwfE7WlFwKAfzuTiDFUFkbI/uj1tObh95O:r1PdVQFwKZCFgTOUv4

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3112	alg.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
1956	fxssvc.exe
4188	elevation_service.exe
4996	elevation_service.exe
1176	maintenanceservice.exe
2904	msdtc.exe
4268	OSE.EXE
3132	PerceptionSimulationService.exe
548	perfhost.exe
1152	locator.exe
1648	SensorDataService.exe
2040	snmptrap.exe
3420	spectrum.exe
3480	ssh-agent.exe
3276	TieringEngineService.exe
3052	AgentService.exe
2876	vds.exe
2824	vssvc.exe
1292	wbengine.exe
1732	WmiApSrv.exe
3208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4109e61ec3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\locator.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\System32\vds.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5081.tmp\goopdateres_kn.dll	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5081.tmp\goopdateres_mr.dll	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5081.tmp\goopdateres_it.dll	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5081.tmp\goopdateres_nl.dll	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5081.tmp\GoogleUpdateOnDemand.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5081.tmp\GoogleCrashHandler64.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076ed38fecac6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000767f88fdcac6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dce96fdcac6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f206b1fdcac6da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4520	e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
Token: SeAuditPrivilege	1956	fxssvc.exe
Token: SeRestorePrivilege	3276	TieringEngineService.exe
Token: SeManageVolumePrivilege	3276	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3052	AgentService.exe
Token: SeBackupPrivilege	2824	vssvc.exe
Token: SeRestorePrivilege	2824	vssvc.exe
Token: SeAuditPrivilege	2824	vssvc.exe
Token: SeBackupPrivilege	1292	wbengine.exe
Token: SeRestorePrivilege	1292	wbengine.exe
Token: SeSecurityPrivilege	1292	wbengine.exe
Token: 33	3208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3208	SearchIndexer.exe
Token: SeDebugPrivilege	3112	alg.exe
Token: SeDebugPrivilege	3112	alg.exe
Token: SeDebugPrivilege	3112	alg.exe
Token: SeDebugPrivilege	4180	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 1308	3208	SearchIndexer.exe	106
PID 3208 wrote to memory of 1308	3208	SearchIndexer.exe	106
PID 3208 wrote to memory of 4820	3208	SearchIndexer.exe	107
PID 3208 wrote to memory of 4820	3208	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe
"C:\Users\Admin\AppData\Local\Temp\e3a41a0fdd89a578ea01e538f5e48ad88a253465ff28a9da93a339df0475d7cf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3420

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:820

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
abff8154af789977951b74cd0ccf0932

SHA1
c5a802456457d93dfd95c179a824497d096b04d7

SHA256
76903d1854cfa274e0e9b95dba69d6b0ea04b4fa4f3bfe93659a2e874eb8d253

SHA512
2a38074255a1613ed20042f8feeb9d14c420de5ebea2b9b963e7cd130e626c8de857dfa67769ef150335c5eb961bafd8ea86ae3a43cad36bb19457eb80463030

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
708387e7f24c5941e85cf98ca90b9b74

SHA1
a4ec6e73dd75c7300665e767735057ea135c5403

SHA256
5e34d628417d1cf3cc9c81e6a3c0edf05e509757435fe1038a42822f88949226

SHA512
777eb76d75fc1158bfad52a175ca4fc0ba6e9bc3b6cd168c456f2f00a7e3849b058f35bf7c05aad689a9fcfa08e0c42d403711a514267be8924322ee6332cc02

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c2b59ce55b8e71f8cba64cded92ab529

SHA1
fd384668c8f16a3546f6d62a54f6ddbac338ed63

SHA256
711890c18aa90c616d759811d09f5cd63beb62c218556af847765ba8a4d265b9

SHA512
194e7687e956e907bb6f55dc1f9fd66e35a22ffc910550d2b901652d392f0854c74227544c2e50c738f3fc07bfc25f8f3011087b636c8aecc997d5d07940229d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
69443dc9ce2703e270c245100d061b11

SHA1
7d3e4a31056f48803d5b614c6eca8494a8f452d0

SHA256
5c591a9a06fa92b07df976c7a5deeb59a3d6cda471a3d3e632a52183f701f749

SHA512
1cffd3fa7b6a0b5d6375b0cf0e4ac347969eb46fbc881b2911464c928366ab4fa547a66687de57d556f36b069ef78ea7dca28e620775c1647239d5fc3e3364b0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c34e8b94dd3f21ee3d90e0e938780f39

SHA1
a2f85eccc89f1655c428448e7104e6495812eba2

SHA256
b6763426db6faaab6d30a2b135f75ba75d712c04800bb0bdb00a1596115176f5

SHA512
44310305e5f16e8a8db6ab5e006193fc04a2b871e592f8501df49951326392c4b25cfc78411019369fdcd7de24b261022a77f1f6de7718b6d79552d4bd96d562

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9e778cc29c3e3498ce13dd62a4b994f8

SHA1
09b032f1296164d9c90f4ab1e50ac9a884a70587

SHA256
5ccd83f9e7c15f0438c34860bf61a37e6eadc443b125b9fc19d9892f6a96fa20

SHA512
c48b88d05a7e21edfab95d9570c2be621db87847620f116114d35fa1d76815a830c361ec34754c343d713d789a50c4a405953513cbf7c20ad90ca4e1de089f5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
58934b343978bd6a4bb1f7512cbafd91

SHA1
74bbd087d13cd2871b47c724a1abfc4d9e318241

SHA256
485efe54868d69d307af122879678037aa37917a34a4195cb895db01d1de282b

SHA512
89d93456e1bfc76dd01b9544d6e8c0231c402422b9d72d7029e64fb5e38014c99c137849ce4c5a78e57831e07839fef0df11888e1282fa47c147e69089c864a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
177ce06ed70c725caa6534d6ecea9f4e

SHA1
544d7605a83e80c2f61e0ffb47301bef195e9a43

SHA256
a8fa42ea01d01cd8572a372763b248bf2987b84a94242326dfe599e0219118f3

SHA512
f1fcfd91eb68d8a18be13d4bd93c02e84dcd8412093af2e760568834a5a89b2627a0ee936aecd4a2b5709e4bbb07f383ec356097769c65d4e3c5305cda59359e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
016e4138c49ea9fbc9be77cd5922225e

SHA1
7494ded84648d54c316232a515f1cf152037fea1

SHA256
6864adb369a49984a00fa0d6c935ac128a74dd169f1604f9d4aee5e810209dc1

SHA512
fc97db30fde7080c6b766037d62d3958432c271a26f2284327776eeb538f795a4894c177a80cf610d52529cdbb18f6d6ce66ff05b9da523b33d3a68f1d93370e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0c22b826394eb207a605c1df1cb83321

SHA1
676b46fb3f6f6981ad69a3732a521d5dcb2d343c

SHA256
a04d542974a77f5778a046cd38ceb9977b37c0082e23f1050f4e8bb2eb0026db

SHA512
108ccc81b5a61d962d1f0d5fd502d002f2cd53a3e0f97c73bf10072dc92c49b392266ee32092d5820b10d12c11dfa9042f78d85fe8192f3d11fe7eb755382429

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f7c5011aea31858b8b71c2576c1c9de9

SHA1
2ba4fd8ddf4df8fc2fe79adc7bb458b126b7d9c4

SHA256
588b38128d7d489862c132e6716b1b579b62f2f01a27dd43de20a424b34341ad

SHA512
4b9efa07329693820385b890d08414ab81e555e33a5a64fb587a135d7ce124c07273bda7df81a8e5640c56c88e5d8aa75621c8f3fd7efca88efd81563ed05a14

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6bbf0f97fbc080b08e3d2777a7190a66

SHA1
5e7250dc8edabfa06093d83ff114e5b66c596f5c

SHA256
8857161bc56a0ea1a67b90f75a19488074c48285f1d2586d65936015ff465785

SHA512
b72574be1bbcfb827866f3521a1776af49943491e8b68284439178a367f710c6be8a3ca0b19ed4e45f91dbb561a1244b2329b25f8ebab8b2e464f7dcde43a3be

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a6ccbd04b43ea05b313e3c132bcdbc47

SHA1
e52792f8819dac11f93db4e3f07ec3ff93d96ce1

SHA256
4f5a1776f2d5dfb599f8dbf2e54070e9105959ef9fea8158d9040e81254fd186

SHA512
41ce3f93295178ada3ebd4622997b6354595b7c8cf7f2deb2e0faaa89ffb953d86645441524d804c14b30cc60f304702e1ad28c6450deacd93e881ad50280233

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
30fa45d684186c4ade55d83566f9418f

SHA1
fa8a4233f6ace6d7344d7e804514f9ea27bebcaf

SHA256
c989969b5d56a9adc30481a780c2cb8d1092e6f09bd9da16c4c65e5534806014

SHA512
f8249bd8416e143ce8aa4c18ff7eeb14349bf7a450fbca4ee88b87fb89886cd11887a4568bbea6f310ab40dd302f2e5bd0348819ec050a5ce47b9d54e77a9579

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f982225024627f480d82d0d5fb22d37d

SHA1
1a69622c17195c78b90b11fe37f62a39b386a589

SHA256
6c9edf20ea2d4b694f4ee7d28245118714d74878c349224b37005ac2db7ef9cb

SHA512
35890440726576f21449254466ac34fff28c31dd1c9b40f70499c24bfc95fef4cccece7b0057e32aa73b1eaca2d338727fd32e5ca97e8467e478c557fc8bb104

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
369ed3106772a2de387f7880fbf4f785

SHA1
c53bb7c17fde387c6a53038538efe01bfe276466

SHA256
b69dc924e4e91936d07cad21a166b8e3d72929ff60b25d7c2ff41ba1413e6a71

SHA512
c236ba88eef4823b8f1fba9f01af37828fcfe1dcf67d8d0ac73339b234f93c47509eb08709e38aa16e101ea52f0b5e8255c45db0d847503715e88e4c2ce54e8f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
00ce1373581aa458518f0746424d9b65

SHA1
c4d31d5bdff13338cd49869e79f7055be7fbda41

SHA256
6ea4b498099699d0969f1677ba084616ff2428b342eade4381dc6ff62f6c73cb

SHA512
8f6c281c08846e241fc39d839a44a522395028305f1305ca142d4fc66f72745376943596f883b4bdaa80248399b7758a036b4d2f053f1ca5b056602846ebb797

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
176af08478e43052e1db3a11b403975f

SHA1
c9c4bb49356e639233f3bd8c1d37e7a18869c963

SHA256
17227e39415c752ed8a8e09ef70660cb3dc576a2da5b817618be99fc5b6810d6

SHA512
f08333c99e459dc01ddab9277f2feab1364f39cbcf19fa76e890231d95e3a181d09c1ee0482bfb329c16405e427eccc86fa64bdac5b643eec7491cc90010b2f5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3e46bc0fbf95acf8d73397758dbecb44

SHA1
e53c8c7beebd20ea4b10a40dbb1244a553933887

SHA256
e2dcf8806f65f23c7b74ffe582455e156de3d3ab008ba69d9cff8dfaca26ead8

SHA512
245604cb0f1cbd46f7347f5cda67926abf42948a438268779f08e26fe16048755385dfd7f7404bb4b663f794a54dbbac770c92d0855acfab1f90f0bc6de014ef

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c4f9bfc50a2eddad81e25792c7244869

SHA1
7c329462a9cb8b2f60fdd86bf0977812a1a006b6

SHA256
01a3f6d0efecd4f7e9bb0ee1a74fd4e38f109687c3090b1b9a8b834ce72600e8

SHA512
bcebd0036e339ab4c7076db48ea4a4a44b1787f5bd964c2059a7d1d798de0ae590762d5417c459584e48334072c49280758dbf9f6b74755b68da1c8dee6ea477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9943236c2c41752893a3724b9ff06a43

SHA1
ca948e226997c98698d5453253545ce50adccc0c

SHA256
b39babd54515976788b39e916beb3468f0b5d6514e22bdcfe079cc70896d4281

SHA512
9bea00e90d2fc0005e7c3671fbad5fe47af239f1c11906a46ae0c79af22814b6360e9c3b9b44b7ee48bd5c3491d8ec3843818033e8cfcebc1357f8f42c8ec94a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5989a975664e6ac99c3799cb52b97346

SHA1
f82a12ef005cfbd7105b1e0c256b7c08c222ef73

SHA256
9dd0e81d3e4d524dae25b252f1867c4bd672b5f25ec52bd67ab1eee7d2ee4a74

SHA512
764db9428b4f88a2fc9656fdbae2f20e9f14ab33d54a3ad61e383995eb05e368f94c4772c94ef7165c91345d9174e2816783784369fd7841e6ee9d8de5811412

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
92017883587b143feed24f1659368684

SHA1
f3f9efc543ac1c72441cff90f1065b896b1949c5

SHA256
acd6a0cbdebaff649cd953327f698eaab4d4cc1617c08f70003fb3584f54d0a1

SHA512
6f11f95b41eef20cc8ba846a086d2f83d9e4400a8644e63c4e03024735b1279d99589b5ad2677387b9fc75e82e39083c13c77afbf7d69aae3a79056ea4b12640

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f9868925fbfbdd86bc60834e444c8a3f

SHA1
52fd46810a79e378e4e9747d0224e873dfa3491e

SHA256
6b8706ac3ebe8cf56ff1928e2664c06f57b3be1cfcbc471045d152abeb5d4e3d

SHA512
d5ca7dc776d8d7e7089c0bcdc200ef6785055398694830c158547485f36d3e70dfac43b9f231c1f3cca68aae43752c0903bef8a3846ebfa4a72f9c4d113432f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3abb8de2af262c6606790013494fff1a

SHA1
7aeb30266f9e0cbe1cfc85a8a224964d1d2ce4f1

SHA256
4645e827a6e6ad056d148f6f705c03931b5e20623ccd7e4ca40b7f44a52cc11c

SHA512
d9948dadbaa3ce98c3f2dd168fbafd1b94ce083e6a6f976bdc52408282b4bed422f0ef8aef8ada4c48276464d4900d2bf991644671ec60df807dc9748562dda4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
5b6ed7c3b214b095429ca7754af8ce63

SHA1
4eb66779b6c97d6f084d4b589e5c320cc6890327

SHA256
f0747d497c2f052fafb9e60d420ef347ea4d5e4f994fb0a9f6891af1afd9bc20

SHA512
de965f12c44dc5a364bd15e6ec1575488bcef30ce11865ee0f63ec28249e2a3f99f29baa3b98898ce24d134c7b4dd16afbe33834c01293b2192bfceb06a0c491

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5735541adf065606217426122f728bac

SHA1
7153ff9602200254df1466f3dddc600c462cdfc3

SHA256
f48906249095ab5b4448d36e4e1ecb4f68afe1a8ca042fc81dfba479203a2688

SHA512
30cb2164b4098df806868ccefb9c38c6fc8b8f7ff6ae5d5011cc67f49cb3357add23ddc71bc5bb530e978ae6ee1c0e43318f2defa5c895f2d236f0390b174583

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c564c2bf51e3f9363fa2cd6b76463d33

SHA1
1e100d57ee2cc0189f9a5f8eeab2d2a0c9278e55

SHA256
3894c5d4130095ab708266a23579eaede70de5b9895875d1cd205d3b8d810bd5

SHA512
fc7e0012fc8d7caa76a158665ef26a4daf5bccd028845074107891d2305e66ad922f6ccfb0a1ac8f95464a7180fde8fb2ce159e1ca313fcd4292a9f345b0e635

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a0376778fbc4229530a8e663855a4205

SHA1
8b38ec4f721e876ff111383712868839cd95667b

SHA256
77c96a40a83db1863b152e106d1d540199323ccbf37155837e4d19a1cb118a7d

SHA512
b36e6df7ef6b969fbd9c2ac6d24e9cfaec0e55ae5200dbfb1ad1fb42deecfa098926d3ea8e3b12df6587850550cccb8da10adb253c0a6e3a546d914923ddb57a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
583c316b6abb08b48bcabf85a5291bc9

SHA1
d4cd42b6091733d89d0ae6f64583a48971c74f69

SHA256
f52f0837088ae6413c5046240920a831c371bf535abb9d422774c1b0a2884a2c

SHA512
d097f6ce6df9e17d9b0b8d65814ec0ed8296b2517f0faf00fcdfb337a18f1189a7a627d6da0c22e41f8f54aa956b5def135ef68bb0be7a5a0196d055870f2368

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
977002363591bb29fe25b56479412f03

SHA1
dae29bf4df312ce4bcc912d58349420f4f04731c

SHA256
f91d2eabafd02cdefdf0e938150228602b51bd69496172cee67f5646c6fab849

SHA512
802c4df6c547a174aeb9062242022860d65d7f0120db68bc219f70ad349ade1c2d276da08fd90d24447197a5d04d1beae46c61f7a2284f53cbc5b00f10ed9608

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b5684421c412528718a47ce6100a0a33

SHA1
849f4793e197363cb6021e56bc56914ed082086c

SHA256
f63d667f2c5b6865982f866be9f5ef8046514da1b8d3796d7756331277ee656b

SHA512
0a256236a1f972a633e3c66bd4da919e0b5d7c4fd5cab90674273ce84b13e67498ee0693daca87f998381b991ca9259d53aacd40f81a62a72da3419e507182dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
fd3a6683dc41f214d8ad9d7589d2d192

SHA1
f56add591c6d3c99e2d8d8bb81f0a7b12a286eab

SHA256
9838f448d1e06083bb78a2c557780442cba688792f74915abae8381d117d1ddb

SHA512
85c3f8843fea1f1f63d9aa9787f7c2b7af751b97a2c9403dd263d27e019771e57a5bf0ee206898449f604b3aba58871df724ca174d46e4e2c48940ee01830b7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1eae9569ace4125472f1b62d14ab94a7

SHA1
4e7fec8dc8480d728d16d4899df1a989cbdb5ad6

SHA256
a7bf213cb6b569653cad0256d584a7cd171a68088964af42382fce056560782f

SHA512
bce32fa51bdac593853f8c38653b5ea29bad5c7029d43f292e47c4a86c165f6b49407832aaff2af9f71cab7c3bb5e2f06e62965181da742dc6c83a01bd7b1f97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
734100d748314bced7fb184bbcbc172c

SHA1
5d7c780a78b80fafce61d2d960f396594112c974

SHA256
c5c888e09618874f3e376ca702245ba981ab22b644de3776fdaea420edf1c7f5

SHA512
aee07d9c772bea9756c9eec1c8324db2c7022a6421cce6f59bb1dc0da23091e03fcbc626246fb07f6c3afb902e7f3b9db1d5a430e4a50e8590613a1ee81a34da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2476b255c897d0fe94e3f34d89eacd15

SHA1
9cfbf42ae48f78ccc37af245276b08897c6ace83

SHA256
c7ea9706c9899265360f4ebd3ac301795f934330b19e103fa5fb830f2932660e

SHA512
47ae30b9962b68bacb123185df2e346b323d83058fd6774b99abd8864869ecb27ac83d00b477369f9ce0643c7739e05b9420c6a545eaeb451b99ea13ae3f2851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7312ebd67ae8e43df658020a10685372

SHA1
afb7270ae6dad8efd312a48efabf6df687da8526

SHA256
68f50849890d9965a4246d3f63014fedff520d8666bad700994badfcfeedea51

SHA512
3ec7cf9b09a454967bf87b65f469ff375f7521e704f77a5f3fb9a803fb94b1ba1fb7caeddfc3151995d26163ab3f355b01901dbf6094ade8e9e164d0c2119d4a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a2a29418d8a57e78511e1306fd904b25

SHA1
7dc7b58450fbbe6a9fd50994e7a1dea195174648

SHA256
97d704c0971036f155041a7fbc5084793e7bb278dbf193d03d5e11d3b498c92c

SHA512
174cfaaa323811f46efe71f4ef15770d302d6fc6590623006e103022144ac05f2b34446f8635dd40be23e8f9b20bf29acc2840013e53987be9008ff9987c7d36

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
eb4fe5235ea1ce41e450426c40968d0a

SHA1
9a6db28662141c5b85b01f3a35f7507794ef3abe

SHA256
b53209953dd29b6ffb92a9f65ae4849b06cff4e4c092d4706d60beb710431336

SHA512
0e96d06d6d3bd12538ab9172e0e1791b03a77fdec84b21312c6ad71bc464ddde04c49a8d0ad59ae5dd55e12cb658471ef40165b3a70de92a8115e917877e1c6b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
74e0a300f41c9db189b218df1eae7211

SHA1
28b73dfc0b46a39aaef2ff267025dfa451b4f14f

SHA256
9a19f98b1b439025ce50ff91f1eae661af600efb151af97202a22f408414b9a2

SHA512
350bc187d203d52b3c0831e67aa20ddb3d23393ef8fd1b3a1a1a7c75ee688cecdc404104a1360051874485c357aa56bb89dfe9edb3a6806f7f9e58290f5c1da7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fc20a740841cc9e7eb23390428acc49d

SHA1
97f97e9e966d88c2414fa6d70e358def56cd4720

SHA256
f21f4b37eb9604d4aaaf62802f4a4dcf19a41969f778e4545033650b3cdde601

SHA512
7d77c2049eaf01986ec5cf7b4fd1f6800e0d8652be14c3aab68c59edc74aa6ba717ac95f12a56ed1d5314278b5c04ba69034c26278537ef04e5c7d84e0f21959

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3565499093eb5c91cf08bfc3a888b3f2

SHA1
28189ec454792fd24e6a933998627fc763068e05

SHA256
0c9d77280fae0c40535540f26fc7e0979703a8380aed4e24493f9a7fe0302325

SHA512
10916d51fc63cf6b65d5daf161ea107d49f5977831683b59281bd4ce579f56e9aafc08bcc1578938aef0e86662d78409620bb42b2a93eb8b8a84ea22c3a95769

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9a647e37e6a61cb6e712effa67f3b0eb

SHA1
c5b5380f7a8dcde3c1b3ecdd665a84b0b0ac3c64

SHA256
d35f4ace3eb535ea88ac78343b88188a18009cbb5fc3929cc7b1a59caa86cf68

SHA512
3cb7e1376dd952a1d0fd0a71a62aac697a6eca6015c532061d2f5df245cfe300c5490ddb6023a2aaf67467810945fda959f72a573962f84bc6e37b0407d3a6e6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
774e4a158578c7e764a79a8f7d5de038

SHA1
1e463cdab69b37efa6a03ba4ff379cc089d9ce03

SHA256
e23ea0b61756245286f67f9cb81e3819376420c42d982c07ad7b29253971767b

SHA512
dfe6984a762d522fc0e168f88bf2ba38b341cac7ed5816d701ac84694776c682814f1399e11470fb25e4efe43482121c5bf1f55dcec9708e6e6b008233f92d0b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c8bff8542e83ad7c27d9372b261cbe32

SHA1
fa689b9bed605d8a14d901d21fa9f16dc48a065e

SHA256
ee2eae74228dc8327a641ecb7a60cee1fbcddd3ab4cb4afc33b22e2c38d07365

SHA512
65741c2cf4e6ddb895fd39f27b42eabe3a6d86f0dc7c12fb7616855b7e5181dc21de172841d58887960ce7933d798d36d28fe1df3376b42ee0bd00d9f32052eb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a3c63963087f404872fe49f832014190

SHA1
4aa58c4910f858e618ba75c1c5e58d56f3be9edf

SHA256
aba05c5567c4eed97960bcc13c07dc564bed0e6cc8ec72c37ca49d7d0ad893b6

SHA512
901725f2410d455f3e57e9f63fd071c0cb6adf5aa34bb5fd633af93561d66f4556d29f809e5e2dea144eae7504f9aed65551034f0ee4df093ec71f9c6d1cb56a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
16bba78a9dd5f1c478fdb99e19f01df2

SHA1
304fff37e6a64f53cfc2b8d4a00a04ea950d9f9d

SHA256
de15ff561024fc966046b5a06421f8f7d0e5954b1b560dda094fc9642f6ddc4c

SHA512
d04b578f550450f161a46de7beaf220afb31631a9b57ad69422eaccc493e669f34a84496e5a7e94b77ec6c3e4ef2ccd0f86a2a4e9a1cd8d6bca5439aa6b6508c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dcb30d20f0e629147466a77765aebd27

SHA1
5ab1aff5775e4ff4356caaf3e10e973ddb1e6e47

SHA256
1eb56f9956f1d49349eb177794f81dd01130b5a501027eb5a90aa7adc200c311

SHA512
8f8719f835c5d73dc65858d71523796cb4338ad3e3f9ce31c360ca16c0f46df9dbf6d66a993c5cf983299f1268baa4f9017ca21dc34389f0085c62742f618e10

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
486beb59660c3a8d1b7e175f2978387a

SHA1
70757ff5d571a64d3a816b77bf9838e98b54b323

SHA256
635f041e93457ad5d00a08a18cdc65c2e4d194dac43ead1e79cd849d0d402b60

SHA512
8b8dab7146dabb715e35f7bfe104d38e90c7924e1476c6c6315605ef4ad6b0d465f31674950aaf4b0633c31b3a369c8b4ecbd4c78e63d25b5f6a5da169ba0224

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
40a4633ebc58af6b8f49f66221a6031c

SHA1
10a3c6f86edbc256ac96664a1e36e860c892ed8d

SHA256
819c9301645e167d7f54dbbf98909b3354a5f4cda9fd013c1ed909e4e43d3ad0

SHA512
48bd8c12cf9c28bf48ff6dabe373366a19e1075b5943abd715da8de3c6acf5ba3b58c540ed3bf15cb19949c0c6f1a3ad9b319cc159f2a7582bc4758dd42f4234

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d7bf884c93550b4891c1569f1421dcc3

SHA1
4a6e11f51245d1e688774ee3219536800ee1220b

SHA256
bffa0404f04dd0328537d3c49a9591d4fa2104d67a6eccfd1afbe41a2789d6c8

SHA512
87cd36bc7a64b484410595ddd6f08c498f4d426d70ef2d0879045879a2a5d351a95d570288099be8fa2ece3484d4c5b6274ae25e0ae9622604a32e1d7beace71

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e1af00bc8ce671326c2eae7faf8586ea

SHA1
7da0fdc165fe46ecd530488995a134430cf8ca8b

SHA256
8c3e3c33f247ed52bab8edb2694946278fb0a07b753d734bc73e2782285e3845

SHA512
2779a47b66acb747a5dad64e38cb066dac07e43f24b630fd68be6224ab2229a12c8534b450931110efb34a9f9b58c76aa1910e3550e743d193961cab325b0150

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2319a984a6cdd4f020153deff23c3d05

SHA1
91b79e89c4f4b1af2c0fa1437cf0aca4e8538d7e

SHA256
73c58ab6acda5d7f7c65d58a08e8eadf2d6bef5e2e89abdfe2415b65b98cc169

SHA512
99c1ccf55d8fa86fa2288edfed13c6c0e2a81a0a1f793039d09e149b124739c89069428555f358fcc36b918a5b9a0b0aadd09a8e8d519641f33bc8a4acd604a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
50b99a9552f70326a944b2f2d7746a2c

SHA1
3a8965a66b0db8b926b0e5ce761365de237fe4c4

SHA256
c0f7da0739b552f9971e0386608ed516c7eeec3d3a9f00c4a2edd46823720aee

SHA512
eb33eb64e749cee9e62c823f7d24b0276ed1abf63ba0b548bfba72dd3f66be71c91fa3cb706bdb2e87f1c3dbe03e2a3f3644646d3f6ba34f4e8a020230aaeca8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8b699621499371dbb03608a951a2de71

SHA1
41b46e37e748c942a91fb00c5b0b9f3f800d13e9

SHA256
26c7b0977f21f937ede8035739221bcb392bcab3c43bf29a8e4c6befe65519eb

SHA512
6c13ebd3232633156c2bdc532f55e0497bafb9cc09861f635e09aa776c8e9e73c96b9f4b597e6e50dc57ce92bb8d1be313226b2ce9b1a0a2bb454b1fb93de7e5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
11f51adf86d585332ad261f34f7cc1eb

SHA1
1c09d9ed1e0f1a515b50c0f52aa0aacd650d16cf

SHA256
4152e8770b0e0f624664fa411255bcf9e4815d0f0b20dc7df9e04b784b679ca9

SHA512
f538067c5c706a714fbc4ffa684da8df70b837d88a84663219cd2e781cdbf4b43a41e5c2017302b8e4e97b8736967a46f84e3f199264c2c9d40dd548ae1ae79d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2c62dff447cbe535239579b5ccaa8515

SHA1
52f673de6e2b3cdd0062b94c16fc2215ccc55a50

SHA256
45441f55aa4e7ee2699165af7b4eebdca6e965b497c6d6ee4996522828227faa

SHA512
d90933f0c5c6878c7755ae63c84e551dcb8aa50a0d986c1b90b6cbcbf54b4407ed2b0f0c49d737baca25b02c6e0ce00617b21c3f10324fc1c8d3015dc27d9a30

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5ce0f623e2fd6d44edf1fe4bc2e3232e

SHA1
d129f3d5e6264615110e4b50094539b8d9c98493

SHA256
910678ecf13e5c0f2efd2962e08cda280f8a6939baf6180a96aff0d2ef56ea9e

SHA512
ab508642d56183bba3c0bfac75a363853af0c54a0eff8d2e6b58afa33f411fb4cbf18a985bb9dab50fd2f6635d416392a37fb1dc4014c350bb80fde6d39a4761

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
a2121e5d426c971175b95ab3b4aa0f52

SHA1
1b98fef2df0db7ec7d174e2b5ef7d8d2927c12e8

SHA256
d1f604cb37e1ae05ba4cb5059fed9e4f4cd4a5a7d1c8b0b498bc16730a9cf4b7

SHA512
3d3e9238a95bc2c452f239cefe861832b4c0bb157f270daead3f30ecec3ad3fbb986c1061cfcfae52ccac913ee23391c37d96adbd43bce970531814096e8cdb7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
198ec0a84402b7ba6d2b70bf7d465f3a

SHA1
5d38b6c487de71daf84dd2591e92dcd56f5300f0

SHA256
dee8018d1066dd0895f9a43ae5efc292011ce83a19bf063ace02c873926b1baa

SHA512
abdd359f59c97073bfabc87b03d09ab2007f60c1fb24405405105341d8e00634047b84029777e9ed183db9dd441b00f4f78bbb547ac2eafb74aeebf5a03da808

Download Submit
memory/548-196-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/548-315-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1152-327-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1152-214-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1176-156-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1176-154-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1176-142-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1176-148-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1176-150-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1292-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1292-814-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1648-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-780-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1732-328-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1732-815-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1956-112-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1956-128-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1956-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1956-104-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1956-113-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2040-752-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2040-229-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2824-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2824-811-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2876-810-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2876-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2904-158-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2904-157-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2904-276-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3052-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3052-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3112-195-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3112-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3112-17-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3112-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3132-184-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3132-303-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3208-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3208-816-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3276-809-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3276-265-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3420-801-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3420-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3480-808-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3480-254-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4180-102-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4180-92-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4180-101-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4188-116-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4188-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4188-122-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4188-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4268-291-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4268-181-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4520-6-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/4520-1-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/4520-510-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4520-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4520-180-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4996-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4996-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4996-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4996-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download