f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
Size

622KB
MD5

cfde993fb9c22277de242e83e76d3c80
SHA1

b4206c0ad5069c0a548fe0986eeb58054e4551f9
SHA256

f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551
SHA512

09bc3cce8290cdc3e3b61ea400531bbd31fcde69646e10d6c51d94b127929fec1ef570baa6c1f8695b15c376b11c463e3d7ef381da2aca52f7b7cda6f759b655
SSDEEP

12288:Uu2p/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:UuI/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1476	alg.exe
2436	DiagnosticsHub.StandardCollector.Service.exe
1820	fxssvc.exe
2676	elevation_service.exe
2000	elevation_service.exe
3412	maintenanceservice.exe
4940	msdtc.exe
4344	OSE.EXE
4824	PerceptionSimulationService.exe
4092	perfhost.exe
1832	locator.exe
3248	SensorDataService.exe
5064	snmptrap.exe
4300	spectrum.exe
1548	ssh-agent.exe
2452	TieringEngineService.exe
2480	AgentService.exe
3148	vds.exe
1056	vssvc.exe
932	wbengine.exe
1064	WmiApSrv.exe
3828	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\239f9e96c9b3195.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\System32\vds.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\javaws.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001139441f5fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006872bb275fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010cc39205fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da1002215fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf6bf91f5fcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2276f275fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e10ed8275fcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af6f9c1f5fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003efe481f5fcfda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
Token: SeAuditPrivilege	1820	fxssvc.exe
Token: SeRestorePrivilege	2452	TieringEngineService.exe
Token: SeManageVolumePrivilege	2452	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2480	AgentService.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeBackupPrivilege	932	wbengine.exe
Token: SeRestorePrivilege	932	wbengine.exe
Token: SeSecurityPrivilege	932	wbengine.exe
Token: 33	3828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeDebugPrivilege	1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
Token: SeDebugPrivilege	1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
Token: SeDebugPrivilege	1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
Token: SeDebugPrivilege	1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
Token: SeDebugPrivilege	1800	f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
Token: SeDebugPrivilege	1476	alg.exe
Token: SeDebugPrivilege	1476	alg.exe
Token: SeDebugPrivilege	1476	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 2956	3828	SearchIndexer.exe	111
PID 3828 wrote to memory of 2956	3828	SearchIndexer.exe	111
PID 3828 wrote to memory of 1552	3828	SearchIndexer.exe	112
PID 3828 wrote to memory of 1552	3828	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe
"C:\Users\Admin\AppData\Local\Temp\f2b5e94f398fd151d91cec198f3d23754c137086a043d89b68db76c557036551.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1684

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2000

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4940

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3248

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4300

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2956
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bf7520e3e85082281409910cc16619af

SHA1
751d9ea9b9b9b8765a8fa3b8a9f63b06dabcecfb

SHA256
3e12852673caef9ffa57df04a0c52828235074138ac5c7ab55d62eaf7b85e24f

SHA512
42d0b7240ac447d694b7230824ddc29d6f7a7b56f6c52fb36da8bebe675bf39498ec2014fc10c936e7c51f6e240638176f598208b42c259363e24e61d671ed76

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
82ddcc8eeef038f00b5d003754c827d5

SHA1
ea9acb8170e2ccd263584959e7d8b54f1f77b1df

SHA256
b83f111f90fceee4901336f6e381bf97015df564303a876057e40736bc7b7e95

SHA512
f848a89e0136ed29a8a7fd8970d0bd42180bd82d6931f8ab35585faa9232959248b649b06f71fc569de19da9d1bf948c444bb3cbb3980cb1349b52955c254e0d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7c8ae49accd990acf1936faabcf4c709

SHA1
b2eed882c7460eba75573461a45687e0822c9073

SHA256
d7fe59151908d7b8a9fd4a03f90ebda06d49d424e887fb0875f09d42ec86cab0

SHA512
75576694633be90964e5a93f250e0f3672da57f23af3da27420368429db317a969158462a4e7b77082dfda4e2a2e325fe91a76455dbe68a73b80798097be5571

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0948f7746c337c27953244ad6b74bcc6

SHA1
b4bc74e984d9cb9ec51bbc3bc1986c96e068872e

SHA256
d6e97c6b6dc859953f92d1f281a337b3ff7d727788549067aaa692f3293dcf65

SHA512
ea61519db733cc4c24ec5028e6cb882ec402a1f705570145c2f30750274c13d8526909e407904f6ab38c0c8501c90f519301d4bfebf72606176bb32fc96f97cc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1bddb36cfd16cdab97d853745bc79e4a

SHA1
58f32f2aeaa3ad15dbe5facecd0bf322177754b1

SHA256
ec751228dfc72d818967b6052cc25ac511e8061ce8edfbdf26e9ec969549ae54

SHA512
c66ab64866ee1d0862f3b045da065c1d73047ea240bb992c2a0379c71592954f662c4bf90ad2a7c17d2863e42d4f45d7cea2d2d4fece07303cf5b576c7a388db

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
29ed9be13402d72cebf33011ac4e206b

SHA1
bcce63d6c9698ca87d1ef2f25c019107b8bc59f5

SHA256
4ef840304c9ecec01d180746cfaa3be3c82f3c2fecccda1f8ba5d59e53285f91

SHA512
40baaaa7664f957ed0dc053fd12e091a296b171c870d984559cce292304d2d498403a827108d4239f7e5bc4e6e3922aa4a5e6912d9b974341dac78ea8c09b5d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7f0e66edfdfd55f07fe267e266efb98f

SHA1
d9b8b1320b59a62b190f2e3cad1ddc95a3c04ec5

SHA256
8eef84b9663cad56ca848e9f65e243f5386b9676254dd93b80b33dd39695a00f

SHA512
cb9cd8dcc17a94a45cdbd1f860f874684e78c5cd7b7f2d46f9fa62f1786e8bad16361d342d2dce1f3d025c22b7aea489ba4696102c60b08841baae94787f8984

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fafab848388f9d730774ff797530ac90

SHA1
8a9757bfc5167fe5f373185c9892f23027896141

SHA256
2ca2b0c8bfd1ed83d85246665cd01ef8966ba9d9125f72a0bae137f91b36f1b4

SHA512
63a2a22a50ebd48b443c588d466f53f11686972e8533214f16ec73b4075ec524db0e79af17aa1d3ba59b4b7f4ec6b95f6113780f8458207b30491974369bc95d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a030b97c1517f8be555297aae1e5f784

SHA1
bfc025210e18a9e161938983eb8b0dc3a36a2952

SHA256
39d44816f09d6d7c61f414831a728cec7e6715bba17f035d447a8e397686c3f0

SHA512
7cdc15043d71dc0a80ea5c1287a9af33dae1feb73fdfd4090d5dbcc68b7a4c5a217a3b23087379400307d58ac45ca20de4073cd53c7af08923b6a0cc6141a461

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4cd32b9419a47c6756aeaf1adf18f3f9

SHA1
685a511c168ca668a369adad6dc5c4fc051fe8f4

SHA256
1be72a1ec1d8c63f1052448c751019834a11b83f8d0402b75cd52ce9231cdccf

SHA512
7c24587fb3c94e1dc0beb2071ed5def5504b6f3e4d12400fbdd855213d52fb39646b58606fc6f7072a636fc6225f0bcd9f9c522c5ace02d64f0c35be9fe6f48c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ed274d56a319b31f9e3eda2b2677c56a

SHA1
64ea2343ef0404ac217085ae2d1279b0ccf47017

SHA256
a404cd4823fdf5a68481d8fd90cc4139f4e4bf756af346bef7738851b2b09aad

SHA512
0fe5437e08a66e0fd7ad2df9e6326c9a2df452439d7bf1de4b6dda84bb1accf5b3c502006465a6ee05314e08bbffaf035946ff236f40963a441aa0ae57a56924

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a6ee1d212b3a2cfb88e0ab4d2c3d9b82

SHA1
a8fa44ae19c2040fab4558cda46fae182366d346

SHA256
4951ba2f9d60a51b01eff5d5f0dc00d6dfcb399eaa3c1c33508a7e3720021e7b

SHA512
cff8858d04ca222060bc0c0a734c4270a9eccc5db103f0c448b3aed7108e93b6960e3b59012d0e38b2af8d2e131563ae13479eaacb2cf18ba95b9355ece44e37

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ab69dfbbc27cb801c6a04dbe3a46d924

SHA1
d35f2ec441d9e78d3a85eb385bca006e3261bba6

SHA256
47b27757de744213b8561ad2af270c8ab979ba3c557d27f08620907bf3b2a0eb

SHA512
3b80844859eeea7ffca467f528658206e90160c2b204cdacbcf6f8f3822475eb45e3904e8b7bf5923594e8afd53e094f2180fdd8c30c4e8e24a173d8da5d15c6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
203365fbd33bbb81f75d67fb1e1e6331

SHA1
e731855d531285e95672167950693291f9d1777e

SHA256
28a603438e52c6ae2632141c284d5ca7f23ebb3f1f5eec7d8fb89094b37d84dd

SHA512
647b36fab1ad4b36351c9d149cfe929a6234225ba01aa43a65b30729c26eef5bc48e94ce3326903b6939fd1ef20db67d2419eb4ea9f53c40ca5a53bb91db7e66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
865a54f682a347f2357696b2fe0e7f0d

SHA1
c5fb67294ccec5600b0b56b774e732f87f248cd6

SHA256
fc4f635c3205503d5d00d7a2d97bc6aeb10f50a497b51de22318c7d13531f664

SHA512
57ac79b3918a559bfe3730ddec9d0594ce88d223fca38307a53169f8059a62fd0b0f315f2b9e1382d60de8b14a5868f48c5f0e698309c7f7d4e61ae2e81f6202

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9d260e4fcab66b5c6ac450755e2aeab3

SHA1
0f480536da76fb678dcb64c16bfb5f8e45062984

SHA256
02ba821fb61bb658d3c01fa24882de957c5c3702b5e1a873564f9259986d56b8

SHA512
0d791805c46cdbfd6cbb1094daff1d36170637ce35c778dc25a62694966beeae4a3a54f6ad4b05da78b519e8024ab65c3215c825e3971cd8fb51a35d6aa7ba16

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b34513a8c942523f92dfaeca5b02782b

SHA1
f608e7a7efb0f48b2c8091f2e1df7d05a958bc45

SHA256
7ddbfbec53e3943d2e93edb8ca84e5eec356762dd863da76816cf79e583c1216

SHA512
bb8d4f3d3960c02f48d869f17b6068f0876f2959e522d6fdd9c408b51013bb3e674947a7ca21379924bf08f78cf8ae2d9633c78a7a18fc61a240fc85c796e55a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
daff3e3dd1e5df887f725144a57de962

SHA1
efcdf31af520cea8d0aed06c0c2681dacec15513

SHA256
a3bcad85a0d73226a0a1a5012829844d3e4044d20dba40c7e8808c1941922214

SHA512
c8e3cb6320375abac1a61d785d56d6b32f9a7462d3a2ca275ebf69b81af1e9709820cdd46d33747ec361a3ebfc5ba25e181c48d04b1c80925c512794dc242ba4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f001c8851b42e91e3964bf64736d0c1b

SHA1
c84f94516ed87c06200a3ffb81f45c985412ac68

SHA256
19f86862e0b9225d4c21623c004f4b4fe4964d74b7056a864fd3c864740caea3

SHA512
1452068b9d515ba376dfd85e61a0db716a318d53681a1cdcd645cdb989391c06b5f2ac58130ec3428a575270722fb94459370dd3e8eb25714e6c1d6512c71054

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
424b1c4e56351e478fe2e7f90a28e779

SHA1
1dc2343e8a7fdd0149cc457e7c04ea210e13f605

SHA256
cbe8b19850c5b64b2295a2d5219ada221a872b237d3e4a02f27f02a39ab9484b

SHA512
cad71a6e853808833ac2b7df4643afcc412e87950c128926fff5181a47a86179bb4e1adabef9a482c929b22ce679dbf1c8f2ab4c02d17cb98109b89922615504

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a227505d2b4af52c693fee9423c2fd97

SHA1
ad64e2f21af83fc97e2da2dae2c8179536e680b1

SHA256
bd9df22ff978210c0b7761aeccfeee6d6a56cd7d17be2da08b91bde46ed27d0e

SHA512
a23d7c81892aa1f344c0842167c7c0488ba6fe044e2d4ec62747ce12a89a0a2dbad0f776411687c4068589ac69a5c37a411340fda23580d9b188bee96ba0e034

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c0c534a1da27c157e0dcd1a24a4cffd4

SHA1
e6c6674db0fbc34630dc7f7bbb09cb67fa7a305a

SHA256
65b0e9bdb3017e6a0e77f400a25f880c0860a439b25c6361863ffb8d2ef09a7b

SHA512
31066131810e09a9f492e2740946db741b219f6c58abfda60eef4e61f7310a84eff4cb73cafa2835bd88664af33eb95409e99e7169a9f5eb63f6be717dd21c88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e666706c7cea8287ef7d760676eae789

SHA1
ba6ec46020f18b5cdf5372b5d0a051cfa0473d3d

SHA256
69ccf5b4b7a0eb8204ffe2978fe9ad0d01c4b1bfeece8c9dbbd76947217fa12a

SHA512
aa5208f7723c06a4aa8619805fb5ebbb2240e4362eba8f18440084d173954cfc991e13092cf1449200e13dfbf9307ca56d2066db874d36895314ebacf8630d78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f3638a0c0125e058723b94ddad84554e

SHA1
5594c69efb67768f78a324f44fb42411b9a5aafc

SHA256
20f7b89b48744ed84d9ae553c3aa374f5f741f517586e2698aefa6b67cd17eab

SHA512
6bfbeab7e2024cbe4292fa6a088b1b1ec32871a695fee01b4e286a4f4a42f6f3d9a8ebfd8947ab02355e546e82faeebcaaf7943dd91143c00dfaa4501963e16b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c993a59fefeecd545c0a72ecda41f1df

SHA1
77b229c552d737cd2b3c934ba34cbd1920a5a3dd

SHA256
9b7edc4fd23dd33d9e4a49e0c00706b5509837e7f2421c71fa7751024d99376e

SHA512
01de2226945ac707739fdf93d4fe43ed62e91670bae7f1de0f100289ea6a888909d27426e1fca0d8836ecae443ea7c66652ea9be09b89ccb2ddd61993d08d112

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
17691edeb1254b765393e6149c8fc91f

SHA1
747dde80d4f2c788f0c430b08f6150af42f6e10b

SHA256
65eb6d6e2c27eab575359022d8c08d52164907dd0fdedcd274b539f15b494056

SHA512
0c1bb612fe023091aef2df85f42e4c20b237b6058c0a2c8a5691d666cf1dea295b0728cff3fd66a2704ede6c5ad4728700652aee988e4100a1fbf944a6096fe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1a8dd58c12251282739e9ddd62cbdb79

SHA1
530509d98d75877f9928a2e121e3cad165f32571

SHA256
888ebffff767a23cac118d56afe2046bd6e77c1e349e36e0775f741003ee43ad

SHA512
38f67c051f1a89bfabc134e491d13c5037843669a48c9810e5afe2528c9de7ce8b0ddf9573d15d1e8f261da52dde7e342d6683a9e36d387d3f8503986a644711

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
aa0b8ea4b1fcc3f38012f7646dae69d2

SHA1
68a3beb06d8cab827420ec3d949f1df6ef80db2b

SHA256
755c223c261e17f6ec7ff24ad22979562871ac8b7f6b4a08efea3b1cfbb90c29

SHA512
ad9c077a0d24803ccc88a0b0ae98d177b0a734ab4114edd7d51ebfd198a78d87f4432b3631ba15c29a007525a8590f9315d78956d1d1efbe68f8052afa7afa84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
9692860f8711c2a3659912a990ff2502

SHA1
a4674c3c1e0f087761f18f0a2fe3b976b9111b34

SHA256
c9db0cd44135023138f9c2d9f4ceb0dbf731010e22937d977dda9edaa8da255e

SHA512
02f6cfaf5206c3a0a0d63291bd2fe337fa8b4f3af261f58bfefd87ae7ad3c88372f764cd5645a012c29b013b8b793d8e78b2964df20cee25acfd5b222174d234

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7abdebd99072a32a3ead73dd9ed6092c

SHA1
f1994288289a2b32e8f2f52b6c11be5b6c18b72f

SHA256
84105469c9a2a674fb5b132811ab613c9c03c6897b64ca255aa70fb438637485

SHA512
35ebae85196c29e4ee35e9301326bacb92e880f478a72771fba8a97e9768cb84b034361c2d194e0b08ec0fc9304f69b4c5a454cee48e5b96a1df6f2d66fb6b66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ac02fd7854c32904236d5bea6ca15167

SHA1
84f365133dac7e1574aed4e28d8e9ebf5ba7ca9a

SHA256
2204c8b2bdbf6a8ece8e8fc86852f0b33be6ffc908f0c146dcaebe60b2608506

SHA512
ba73529f45db1861fe0bae9e3e132caa188482b73a4a0e643e316008f8581dcdc5d29352d38524a0f807cbbac3906643f7374676e2cbf4e01ba80145a4f5b1de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9c897115130d922b53a1dddc5fd6af65

SHA1
8f4ad2302b4279c585456c89a1df1daf77c3ccbf

SHA256
3f25c0803e1715221d14bb5d57c1d17f455e915dd09c56e10dcd375a7f17005c

SHA512
47babec028e092e98f6c588c46cffa0f4355e99c62ef64a45ecf06e8bb5476dd5bf85c9d7e8511ed0a2fded2af7829a6828f45b08515f09e78c774f6ded28e3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
13ef0a4143047535a0f18b6fdadfb5b6

SHA1
9051402c84ae75796e08bd7cb4a88362b7b8e704

SHA256
8efe895b60e1d578984d0081576f1a023dc610a2383ce3a27ddd92b34428c779

SHA512
1b93b0d22d94ae7d6420eb9d605663f075e4f1112740cbdee67ba4e181a8d1b596c38073214d9b6624ab7fbf26748986e0b1f29f1f43e11436c0b3a546a11a45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ff8c257dc63efe3a54437311a5169428

SHA1
651105bee51a2f525718fd962d72601f4f08173b

SHA256
ebecc25b8244ee30d78b959600009a9c9b5b4d5bbd22902c043a2ea68562a143

SHA512
0765a3e6a96c6b39c95a98c3fcaa6b0de1a9f3adfee832ae61a50bf3ce4dbeae8a1ff23a77ce609130de099757ddf1049aaedce40dc25883cb7a43c7dba15a16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3fa2c2c96820b3332c7965c532847540

SHA1
b2cff2e8b8c60d9048fc8b58d3fedcb7868977ed

SHA256
41b1ebed67ed3f4c79c979b0d2f7a5bb5825f6a626e728662ee5e1980bea6d92

SHA512
9d3b599f5da5a6cc3a9bc5c1030d1f0ac591edde5f6206e7056c20c1501776c55f8d4246a00fae4806eb9d1c385b8bab8b33a5a077b266dca35240b32f1c1835

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
68291bf7f2e812ba235f9ec54ffbb734

SHA1
dfed845db0f234fee892109b85b0e2632b0fb001

SHA256
c3373870044eb98df741b635c2c6ea47d492e03b46db8b7246c3d629f4e051b7

SHA512
7be08a73099e73a72b0ffcb64988b2dba20dbc9c90f62ec865714f25dba9f3e29b13c884d53ede813ac8d15a71e7bf8d8030546f6a79da8aceb85ac04bcb3471

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
17f382752dd4941d3636057aa028cdcf

SHA1
1db86f34473d85f0e8ed8f8f3b79b3fbf0be727f

SHA256
e1db8d8ea9460e09c9f949d3ee57b2d6fa41e942169f7d3cff5d516164f5f028

SHA512
5028e06b530efaa761233e065219e7fa60d8f6e455fb4ef9e20a0efc41869d2a04025afbe31b6f05fd8ac000a340d08a2b3902bc6c4e4b680fa81ca901ad3112

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a2aa2a8842fb30df60f1f2eb35ca45f0

SHA1
3cf3ea81d51829d5104321399cd5ddc25926e6f7

SHA256
c35be296e1baae0911d072f4434224290ed8c24f584ba043d0b737ff0f5f08ec

SHA512
edf3261e30a82076c83ae8c7b9613a5fda5c22cd3aaf25bd4eec7626b690ae6a60e9584833fd0415d0894faaffd7ca814c16032c135cad19e0c6641ad9a9fd43

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1410fd92951807e70266092f49efa8c1

SHA1
2fcb9563a169522fc6c247a781844fe21b1298b0

SHA256
ca994ef34bd1dc1a90f848e6e2bdb0d2613428a96b541be0727cb4b3d443084e

SHA512
0b417f04cbe26a3d1876a1a66250ab98a896e5c439d31f26a259d00ba15d3fc612c52e129c9f36f5e4d2885b839fa06867771584cb7505d0bc1f88b10edea807

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2e29a70da6cdc55945b70dc4f00a76f9

SHA1
ad7d387cf6276453ad8698824d3fb8db99608d18

SHA256
0a06697a30e50678dc69fbea84c2b6343ac4d253ca56351ec1d15283e7b502ec

SHA512
c6ef9e41441d2873c0894942f416848dfe36a1fddd527d3867c01d7bae0d16f18e423a5cb630ac041d02fdd7f317908f2f4cb99958580f143156559e817500ba

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
479e04c140eb6a4dd6e126b798292e51

SHA1
5d268f62533323394e4e53acb7fb691713fa92aa

SHA256
d6ddf71ccaaf70af92222bfd7430a48e0b51da1dd9e6f1c3aa867f6b1df9037a

SHA512
90f7502d12da18ecf9428dd499c603a21e3d983b0359fc2a346ac999758978fd12a9cf3d0d881272193ed565250cdee6a59828a91aeb9efef6b08ed391c2a605

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
84b4e72f2886abb5f13917239cb26e76

SHA1
7e0f66db7e98bdda699fec8e61c547f7c97a67b8

SHA256
bc74d4c858228526bc01cc38780871663d2d804e6342e6628928a11b37746b92

SHA512
3bde2dc6e76b169d51f32c36b1512756a7225259f8f629d4d5539c6b00a8396e369d5f6745f610cfea924a7e969850b719a7f6f04c46c9d102fa3980f8bb614d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1f2dcf8b957f004cd12942719160c4bc

SHA1
f32b2f8233cf464eb44390b683e90e62a0476320

SHA256
23f31538a223374e1cbb5441998d7e9dbff8d554e1f3c2c6942098f3eb4751ee

SHA512
639f731667a2d5ad54452e625374cbc592d1b02b279bfc585c625629c1a8097c85bd859f0d3531f7c7a8b1a8429fdd795bc0788770da43cd2324d6fa253122bf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f03957f6389dc0bfbfd6844c56852a2f

SHA1
548d41ee6821297ffd64f5a2cf699d76416356c7

SHA256
918b1f4d3f107cc5197e571aa3290ad2828846fae7ed333681d98c3e418eadb6

SHA512
e79d87e864eb0bf67c7618f15e835c9d9d8758a5cccea517094a7e602ccab15c997c84014550c436b8b42d632534b61ba99aa2d64f79d65f844afb44acec96a1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
393c6092945855022b449d6514bf8f07

SHA1
1af3167965e146d0f108c1118e891e6850cc5f4a

SHA256
22f20c5f3584da904e10533ec05916b8488d456ae8453ccf9df36aebe4a22898

SHA512
95cff34938f85f0d2bed531562a8f41460843f6e61ff8b386cf6195c14e429b301dc00cbcdc0b292f2efe6aaeea1a14f257c830c05e1e89a7f850ec40b220bee

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a0398092c7c6136d24d70babad82a549

SHA1
3f4dc666dd17bf06ef3e2a94df48b5cd81b290dc

SHA256
7e9e83642590ac6920df36671bdbd1576a5119cd63af47db64e0df1572dad6a3

SHA512
e57ca84de8f3f3d4f8578f5b98e233aaaa4de3e66af85ed26df7962920ccdc92ef190ccaa4eab4826e14a611ff911a3b26b99f2e2b541a349365257c5d212e9a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9a6a81b1a06cdb97152aff5df4aa2eba

SHA1
50c482a936b4ce7164ed4c904234f3f9cefa7f57

SHA256
6b5f5f6f5c20cdbb2f4ef9f1d06e2f3525a7eb01c8749e508959e67260a86938

SHA512
3b0118a1e733dd83bb70ba4c61faeafcd7ef0c0ee5f8df898a8fac39066efa485c71f5a9ce3f13993287a7950f62a561bc6fc4c2722e80bdd28722fe75330926

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7526d40c9cc7a5d1266854b32f6c25d0

SHA1
54342fd81f2d83570bb5a450f4d934b7deda7f0b

SHA256
ef3016b6b6291c481093125711895fe54f77559f1e6312641035d0ac744324b2

SHA512
44397ecd6ec731d29dc8fb92962a76d62d1ff4e8d553946a79558669ec2ead088d0b4d6fc13812bbb14f8fd4c99de0886832fc80bd1059c5bb3cb950350e4169

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dfa4aa72fbde9b6d64e8192848379605

SHA1
5302bb51629524a09749cc7e5b81646d0bf46864

SHA256
2b5f31e2e7fc208fc862acc096c7f3bb5e7b524bf4cc54d5d6afe0c8b96f794b

SHA512
beaa34175d3d976d35ae9f790cdce3b83f7c7e98a8b9830f406f075a458990910db67638de9333a0dc35d6f550d3baf73dd38646cace694a5598196fb1782a99

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
54dd6801b5c7b10729f969c4ecca455f

SHA1
2df0e65deeee9c8a2331cb5897c38a76ea825469

SHA256
93d359253b13ad2ed822a8a2d80f345ad1e00973c1765256ee010e4fd9ac1667

SHA512
c5fc76413d180480c06bb04cddf895eddeee13630e5f04358492affb8e5c3fb4b0f9c3ce7ddab03dcb0fd787698f6ee02fedd33b2d56f8a40ac8d05e0481e2d8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bd156c6dc3d6c2e51ab125634ea8893e

SHA1
48f9820dc0db4a74f01101a3ba4de6ab591113e5

SHA256
811c31dc3e126ae07004f717b44ca9c07c2408a63f12da62ffc2fd3ea3b4f608

SHA512
6b0709d6b6f14f878f97ee431a33ba7c3f06a0d6bebea1602dfac984b7d6c0be02f773a7ab599dd0962419d23f5066a6fc218298c3f47d6edc4f6aefec696003

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4e84d03e08a27ea8266cb472d0cfd85f

SHA1
415d630eb28c2bf59582491f4ef79cdb9649f2d9

SHA256
20ab79299169b674e366e5dea5c7cb0eb7fbc4f842246b8cc0b3bb10c75a33d0

SHA512
0b93cf08cd3d31805b327ff773de7ab9898abad63438818d6da32d158b7c0114481aa7446ea712ebe4d5dc64759d00bdad33d4d67aedfb3d81b9b47ef4c6e3d7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3de4e11d9025ab45b0b428445c6f8afc

SHA1
a9a4e0d1f0aaa9a9e962720c7df92c5d1c2afeca

SHA256
40f5829c3155c5e6a88881ad3b093fdb9d41de338033b27c97882796307c43be

SHA512
314b796742027e96d51a56efb829618f054dde1e04766a88153b9014f8172f9f7c97b7b89f39260140c96cc1673d222c61a5b0d57c6c0aabb0f1fbe728ca08e6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
94d5ca04120f7b86abfb4c6171f041f4

SHA1
a00819cb1c9782cc42651bee240ae41608e31d31

SHA256
08684c5ea98f4044cca4c777d98a9acc49e02a511c45507aaece41651f926bc0

SHA512
0e2b4f1919ad2d3002a4ccd4af0c4cf4123b0fdbab32295913a18353499d7713b037902aa4154608706551b5f2238d2d6c9086bc669726a912043c263238915f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e45d888ba34d141b09e746a60f13d836

SHA1
4732de0c29205e1a751f6c323508834757e54273

SHA256
6a102f382c62c58d5442472d45e70e136c55dbd3fdd247747dc578c2b91fdc99

SHA512
d7d8c282c6a5a2f0f4af3dc7ad35732996d7bfd336a65c97d71034b29696a13ecb0cd92ae726432df153de5d21057b31efc11fef33bbd68c8b516954e577bc87

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
263aaf4ad56f573c745ae0dbff9f37da

SHA1
32a042536da0cfcf01d54654f1f06f1f3cf2d39b

SHA256
209fd380c6e526530d925f68f880a8f266738c0615fdca8b6e113f3215040abc

SHA512
93f0f289d17101514875c043576c3c51a53c331ea477099c6cb0da2a73935c1765010e210ae8d0f2c1db70b2f04d8a8e1f2f6ccfac4d814bea75f936c63d2550

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
165bc0b5b6ed29e493cecaa4b8330f33

SHA1
a12cefad35d513a047cf3cc5b0555ede0d9c005d

SHA256
c94d99ab7cf5a028c22fff467dfd83baa7194e3f7726849465dc76c29ac2ab68

SHA512
861f7a735b6c3654e14d29ae082f9a919799553a38e4019528d68c4664741d3e4d1558f60f9205adeeb3639308d7b1b05729c69e2297a4927abbcab529ec26da

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
40df54f879cdfd266a5bdc9067c68f29

SHA1
30be04a728a05a8ab80bff55ccac2399a1abc3bf

SHA256
e7bfd45988b595d2c8fe4cdbf9d9be6972ce6f787fb4e73c9d28c609dcd22d64

SHA512
7deb94a2c1ee67c318faa1b96e3030458d3854d5e10b65c3b5ff285cf8c0acf0e21c2f8fb21e39a67049f8256d97b05649378e689abc83a71d27621041b08889

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
78ab550a6b3b4e0e926d4c4203249384

SHA1
5505e4f8ae1201ed7eaba2b7ebbf458bcb102c00

SHA256
fa7d52359d5aa456e23bcb371d60377ff04d0178e011fb872dd8808e8f20f4ac

SHA512
0f5226f858dfabfb93aa7bb4d9ff1e854650668207949e8c18fb87a12b37cd23ae182a354d17603f908d9a92556bff5cf5307ed073c7cc3319ef541d6d059859

Download Submit
memory/932-600-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/932-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1056-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1056-549-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1064-248-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1064-603-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1476-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1476-136-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1476-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1476-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1548-177-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1548-498-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1800-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1800-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/1800-1-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/1800-82-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1820-44-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1820-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1820-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1820-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1820-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1832-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2000-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2000-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2000-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2000-225-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2436-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2436-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2436-164-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2436-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2452-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2452-499-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2480-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2480-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2676-221-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2676-57-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2676-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2676-51-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3148-500-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3148-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3248-495-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3248-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3412-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3412-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3412-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3412-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3412-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3828-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3828-260-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4092-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4300-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4300-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4344-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-121-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4940-119-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4940-89-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5064-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download