1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240708-en
resource tags

arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
Size

625KB
MD5

ed7705025b3fee564dececaa6337d782
SHA1

178845227437ae9f5ba41775e09d32e646979dfe
SHA256

1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6
SHA512

7064a3a3e8d7a34075084e309be1b133e3b05ff42be69684abce223be9b02405af6af5d146849ed180d067cef7892a0bc7a70f4cd580a88b149fe83280eb5cf8
SSDEEP

12288:b2hgeKznl5TXJR0j3p2pVUrrQuLoWTF23JVbd0UILzXSocmKdYNq6:Kh7ozX0j52pMkuLoiSJVlIL29mhNq6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2548	alg.exe
1344	DiagnosticsHub.StandardCollector.Service.exe
2700	fxssvc.exe
2704	elevation_service.exe
3912	elevation_service.exe
1072	maintenanceservice.exe
1576	msdtc.exe
4864	OSE.EXE
2420	PerceptionSimulationService.exe
3404	perfhost.exe
3952	locator.exe
1092	SensorDataService.exe
4420	snmptrap.exe
1900	spectrum.exe
5092	ssh-agent.exe
3428	TieringEngineService.exe
4832	AgentService.exe
4472	vds.exe
836	vssvc.exe
1628	wbengine.exe
3388	WmiApSrv.exe
1072	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef54f57bd79c377b.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EAC88433-910B-44CE-9FE3-02B8E94F2211}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EAC88433-910B-44CE-9FE3-02B8E94F2211}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b99e848271d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079664b8271d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001107b18371d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eed738271d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000937dc68371d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1344	DiagnosticsHub.StandardCollector.Service.exe
1344	DiagnosticsHub.StandardCollector.Service.exe
1344	DiagnosticsHub.StandardCollector.Service.exe
1344	DiagnosticsHub.StandardCollector.Service.exe
1344	DiagnosticsHub.StandardCollector.Service.exe
1344	DiagnosticsHub.StandardCollector.Service.exe
1344	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2132	1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
Token: SeAuditPrivilege	2700	fxssvc.exe
Token: SeRestorePrivilege	3428	TieringEngineService.exe
Token: SeManageVolumePrivilege	3428	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4832	AgentService.exe
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe
Token: SeBackupPrivilege	1628	wbengine.exe
Token: SeRestorePrivilege	1628	wbengine.exe
Token: SeSecurityPrivilege	1628	wbengine.exe
Token: 33	1072	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1072	SearchIndexer.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeDebugPrivilege	1344	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 3696	1072	SearchIndexer.exe	109
PID 1072 wrote to memory of 3696	1072	SearchIndexer.exe	109
PID 1072 wrote to memory of 4560	1072	SearchIndexer.exe	110
PID 1072 wrote to memory of 4560	1072	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe
"C:\Users\Admin\AppData\Local\Temp\1e5f7431c644b13f2f1e30a793202bc6f43ff4fc12f3828c7fb0d499f0fd8df6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 780 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a4cf062b78f0368b3c173cd61bbbd9bf

SHA1
7176de0cf332b4227dc39657dffc38b7e94a2523

SHA256
d74231ade8319b0088ca00300102b0b0a941e8092e08a9ae3ad8d72937c99fa4

SHA512
4abcbefe6c10f42adeedf4711d3af400a591e7c51d7a418d2c8ba91a02ea4bbb3ddd3ade011f4bd421ac6be568c24d99906c2b6ed7715e2bd37dea38c654d0ea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b1d8f5e3560ae0245ac926bc2721e44f

SHA1
240fa0fe987c5bb416b21fde1c23a0539686359e

SHA256
f9fb467fc135f412ad8f698c33c02b1311933df71026ba63f75efac7097763d3

SHA512
4bd0fc594d4faa1c7618ffa9223f38e7306c44bdec58f465792a21d54de55bd30a0c248b14b8e045de03710abeca09e69ac1e6935e974652581ffeae85477573

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1c18045622289a3594cfd94f26dede5f

SHA1
464cbbe8f796061729a35c462a8cdf19cd91c670

SHA256
0b190345a7f691f83d54e28afc696e2046b08c5066ce6b01538a77cb2f87eaa9

SHA512
e54813e8327991f8271658d9186d48545d2c52f1dcc27841cbb0237e81e69354b3591f214d15040d79eb7b88dc30782655e2ce03fe1ddb73b8a2202ab36cca9e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
174e7137f41627e04f6ab492d11be531

SHA1
213140ca2bbf8503b8ef57ce1422ab5ce2e2fd58

SHA256
0dc7429bd5a83c00dae68aced232bd7dbbdd4a67384237b8190d4d0acdd1fce5

SHA512
76148f6192f41e9deaa694efaffa628dc73f4afd12d1149feeb0b2847c8f2216b33602281369c281c879e5f22114a61dce838312b657571027b02ecd3f933538

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cfe6cc96d623a398822335da59141e76

SHA1
39176da69fd8720414b99d2a98e25d7aaab561cc

SHA256
5d1a2f92aaff081f7b1c99fde6f5951ec661ca11d39504511313e1c0b83f7b08

SHA512
337438d6992915bc559fc28d9c3f15c36768a6d42f0c0cb29999b4969927098d5626e4eb081b641457de29edc4ae63025006daea1ed049ed4ae2f31735ec74b3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ac951b807e2060609d5dba265b067a88

SHA1
5703bb34ebb2749152f37354edb06988d8af78a0

SHA256
c73b67b29f02483ae41a5321ad3e83ff9fcc0f1b51c0561a3457d0d017859d08

SHA512
7ab9152fc3a29596ad12f2ef83a3479dcb4aadda0130fd01511da5fe952874eceabbc2905cbcdf33b1103336ba3ac83f7ba340ffa0300525406f1b7c1800b2ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b30b6220e59ecd222adaa68c54151a2c

SHA1
ae20ca8a47690277f332a1d31b3430109f0f9f47

SHA256
86741fe6e6a20e7f1cede29f5342b20bc8c8af9324d98d1b496fe9a8466f9d1d

SHA512
1afc148c04544be96c18d3b51a9e8a2141b8fceda0a058b0382788302fd9637017b87889442fb618ed639e03f8c7b262fec941688e95df73c10791b87066a333

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a1a1c69bbe8bf4063ddd8b0f874c507d

SHA1
02c54609593dc91a0f675545ee3b23d199d22902

SHA256
37fa3bc611d7285bb8d4bdd86125eace8bddfe7c9db8b4ad2711ad101fae23d0

SHA512
9b76029289b20ba45ceb8048552ac2b40d0f2bde0f6d5e8b99e6eccc5ed616584279df45fd79f323bfbcc0c66a522fcdef6f755dacaf53390d27061ccb40f80e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7369724b3c81430ba348aa33bd3bfb72

SHA1
20fc74547dde466c8c99eb00eb4db51173cd0f81

SHA256
1927cf2b8cef94e7ea0ab2e6504e14f6803d41702feb996ee207bd9567aadd65

SHA512
83e32a240d250721379957672791ea8c62d5903702f50165f7089b5cfaafc509e49ba350e494f7c97c59375d46a7c44a32d7660be94f28a03f148a61375ca562

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a87b4f604e68c3a15588e777707dc420

SHA1
365626728535feb8f2ff71125359e015c23e2fcd

SHA256
d6dec28e341c4ffe301327cb890e9bbea7695f6d68aa5dae9882bbf294a8ff43

SHA512
eed8115169458747282e1cf92663461310ec4a787ff3f5fc4949f6c608d2a5d44ad90bbfc0b1f23840ee97b4579e586c90d8b2d7bf6e0a2d06c8e93e8e31484d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
19cdebb7a3e3e50cefa007933d9ccb11

SHA1
d5b8ea2594002babe1c65167441dad26b6febd68

SHA256
6a44106950d7c545e3cf2d39900536e2bc628ec326016ca0cb5d540a22d5b9f9

SHA512
be8be54388485f08e4140c4435a5c9b61f06c084f8f620f40e9e8b60b6482efa3bab6a282181df692eb50e57f521d2befd1d32586df53b8fcec45c1e02a59a04

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9749c6e086e502c2f05c5fd6c1f12f44

SHA1
b7f343d65acff547504d82ca18dd453820189bbd

SHA256
a4a361f79033e3fa2328556dabfc679ce95484a14ae78ff697fcbeeebb585cad

SHA512
01bf123c6eaaeb606bb5834f70f84c019452514776e1a812dc168c335e3d7fd2da839b0ca0c931eb790111d51107f4e1775a470b114c7b4cb508318a0f561baa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0820e3257ce051e64ddf0b8a45ca59a3

SHA1
eff83b5684acad9ba350e898ec46e9de4c36d5fb

SHA256
aa73a9e1468bf272d532997e412e4443b1628fa71b17aeba23c89cda1e61a445

SHA512
40923e94b5356d16f049c03999d1d9f1173159bfd974e1352fcff59b1ed5a0f5ece4401cc81034bf2c10051d3a09931eb118d1c5a3097ad3b19100493fe6ed2d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
928aa95e4347a13fae9df5be009cf35b

SHA1
fe6cb709918ae784cc6c07895159eddbad6601a3

SHA256
8430c567634004ba3011d9cdf56f785b7e1ab2323ed822d7ad7b838668ec6a38

SHA512
e6462ead8639ab56653e4d23286a4ad210db567b82c80ec11405db5c6e86ec304968908b7984bede2cbe111d9792ae0cc895a2778349d42ca87528ca13f0afb8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
379afb8cb9f02863345fae341890af4f

SHA1
f966350b37b28ef27894708a9cdc817f20658d74

SHA256
74d3db27ec39feea58aec5e552da550fbd91c439ef7de5950d937ab2ad3030be

SHA512
bea16a2d1edb310b4866c9610dcd94422d7b201f226996b8abf3625701d82c1cecafd24959ad890088a135a1155bb851dce96a51e04295b21c41945bc2648eeb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c4aaa584a862654ddaf43eb029519614

SHA1
2ebeaab3f80027ae07d20e97a851d7e03b7a5943

SHA256
df13a3c95a5369cebfd2c0252bb7c67bbe4af6cb018aa31d2abbdc8b1ad0c28c

SHA512
9773602f4f86d70722d32746640d9ad331d453a7bfa4cbb1b50e85ec90d4175cf8e47be18bb9dfcfe4e3b6cc7d83358b92223ae728040dd5fd13a81a2964d23f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8c97899b090c8622e5c1fcb1288b0126

SHA1
7bf01e0254ad6984f79cd777d177b4d9a78ca139

SHA256
7c6c11cbd37f7f096c6f9b3b72fed0d028b3f4276b8cf29b5f9eb0a1c30b4227

SHA512
d6d47a4dc37a3031677c25fedafa6eb3d2737a7eba57bc1ce465bda80214995586ee807c21bd56297a48edb092b3c1d4d6762cda1234c7ace8d2c5ba9d01e073

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6214ae15a4a5123363726e296bec4f5a

SHA1
4e802125cd79617f6a7121ffd99437be8faacaac

SHA256
b40a52ee52807bb7593fd6016ebe903748d585dca2ff70869c8e72adde325e31

SHA512
dadb44fc9be1bfe1d1ea25024ef2b9a4591e285f79074525cd748649e339464063ed2c499061defd10d4a191c561ea8aa323311ed65fe576084b7d8f7fd319b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d0080a779b70c8c536bbf01a0ff5daf3

SHA1
38606c446780f92c0aeda4785c42878a0bf06d7f

SHA256
478c15ef4403645491e53cbfca9a3a113a0f405d2aecc8085323a528c9844b7f

SHA512
0af7b3e50071c423336b9c96400ce9a3a279cc1927e816b28a296f65009babe73f1238749bfaa95993e402ea04604d23ea8c07cc817ccaa3856b2c4563fbdbde

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
262e5ca3c446f04931ddf3c2d94527d7

SHA1
9f4fd48fc8c93d86c3cc6c80358099f63cb3dcc4

SHA256
cdc96d57e674227650b2d53238ec2c53513156413ee25b93597230dbd8f1442d

SHA512
49e2b3e0c22b7856ab94c5cb4dbe23223f871e60fd17ac9494eaf588943960e248d60d9803ac6de2dd3b9d2fc30fdb97d8505a5c4f88b692ad3f27b721c5f313

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6c1834e23d1c0a5d0a0bbcd8a67cf932

SHA1
d1f6e247e111a535b1ee55adab4580c4ca106965

SHA256
5f64ca174d5574462f08f1225a148cffb6a0928754b11181c637900d76327271

SHA512
0e8f407e6f280a34b1a041d8e9ea76c3dc3feae2005b18695816b4e93484254d37dfd1196675af42b46d23d6e1196057b3614b243d76ac1991c9b329420b305d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d8dbc43d361c010721d2306846d5e9be

SHA1
b2ae1b84f74fec723313331a70051306ffe9b305

SHA256
b015e5bd38675761c3923546df1e661fa0c8e86f84409647f9cc4d20839c23c8

SHA512
2233103edf3f89a7053b455e811138b36d2a30ca2b9f22e8f76121b433e9f95728468a9d778ac71764110550bcd0d893193298fdd66436cc5d23157d26873662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5ce7e1cd5ff18e1e54a26e8a298886af

SHA1
11092fcb6088d0c76b0a4733ff5be9c4249301ee

SHA256
ee7bb34c2d7fb8af7cd137346dddaf3167f52fa3825af9058786e3aa53c2b27e

SHA512
5b503ecc52b9a0467d812e4da7264b4eff8e0a1bdf85e45007eed6b9da170e90af9a47a119d891b23caee13c1d99504c1f5d5741dd7020e44675afaf3bb6ddf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a560d8f2a95b7cb678eb4ea0ce42aefc

SHA1
66aa63eb73e34105650ff8bb8e8424f21aefe088

SHA256
444380a2fd48bc0da7d6b03e19be793d0b72bdd8d3a81139da19bc64f98de260

SHA512
04f0ed94018087efcece739c958bde343116312182659825313189998f99206e3ee87ac2d74d84706696d9ccff0684c8118a70912ff93329c051991d97d92e73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
83079a90fccf820e9d6f53c37163a94d

SHA1
0e23f0e6b9278da5e6b835007cffcc7ca7ccf346

SHA256
1a361ffbe1621da626b9b328814672150b1eae9d04f2ea97cca9592703f83390

SHA512
b33781eb1dde529ee8239834a722505d8c234eeafb724bd42ee3214905be37c7bf5eae0f9463a06dc711d0365aa2883734014690631af194ffe6f1f225964ae5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4f4769458c58e9b3ce01da8849a7a3c0

SHA1
c1a67668b085dddf5ca4e484b7b297be8952e2ad

SHA256
1c4c11c678f36690f376f2733e103df852f13d8a1b5ebc320aa41c19051ad42f

SHA512
cbcc886aaf193f260983f0bf6e3b5ae5d03d0c37bce1b25d869623cd209cc53d693c835dcd3f1263d903083f335dd60ba84395714a9d5ddb25b3f259a36e961b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
63b9efaee396cdd51fd911ba45c739f7

SHA1
19bd9f2d73c051945ec28f75683f5630a91cb918

SHA256
7133eea16dbefe18f887314c997b10e725c38627214c00a7c9f787affb8c7c0a

SHA512
17052612cdcb921e4861e076f16f1c19afda72f1f1ad33faf1f96d672fb97435d72b08f2fe0040deb095f2c2c26676e7ec80a184e3b0e0c89efcb9cc88e6b024

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
fa9531a2db9b247c547f6eafd36c188c

SHA1
91405b73f937198b692848da776e384bbdfb80d9

SHA256
0fb371dcf912a02e897f732c907e28a3ea8ac0da24a909c2720744af565365b9

SHA512
80dde2611d77722a92f2d95153108ea333111446dfe5f3aa08a30f96070a64e0ebfc955c1f3e053bb60433e40e372b297f2aed0ca89af2d1c4d9025697798d23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
757c1deef262319591ddaf39adb4503d

SHA1
4b1e31252c2d2bf5003a7c7eeac7706601a53c82

SHA256
e991fe7edfd79393baf40b112005b9f443da0b0a5d7ec376c9dbecc0f9b77ed9

SHA512
d149fefda477a763b5b01b6ef37a77d45991936f8d24531d0eb93e0a9b5d5802b26ce3b45006aaa75b09fd99ba6ed790dc7a66c4bee0fb62072d7e10b4c8e923

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0a2af50f2df10c9fd15bebb2da1b881c

SHA1
cd28a309a0358bf896b05db73ca32aaa4a31fe11

SHA256
ae2fbc82917b898e827ce7e9033a369cd32b9d8b50e2d31368f0830cac75b33a

SHA512
789ee7db495f0981404cc3f0e446d9979f5ddaf7d4b50ecc694ed842de21d8be50d43be51bf9e798917c07b2315caf697a222ada20a79b715ed608a3995cec9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9bc4405e41c1a6cdd1b3aae8591599cd

SHA1
1a842b04e41089d0fa1f5e27468c648c2e341896

SHA256
f7294d27c2c52521947c1d30d08266886ae70521925ffc34e952328775cdaa65

SHA512
58040b552261e8acb323e02f8301719a57f7ae760b69cb82ef5f82671e63aa1780fb9bfc25484b5811da4f766e9198551ceba8c0297c0ab28baa38f7e1f75df3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1952680201e3f46c2b3d83c5c1311675

SHA1
081336efc75c8a3ab597124c89386502f4441e2f

SHA256
fbc0008514bca842c814ac06354d2e6f22946e819cba88b71a35d6d8b1516c3c

SHA512
d91c7007407c597ec7804415d054085ace3d7f51fb616f255b74efbdbcf537be8e841567848797fb10b0ca2eb1bb0cdbbf95fb04f642a72cbf82ae4cde22971e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1364d7f2aec21819900764faa2b439e1

SHA1
de5dc39fb41e7ea7ee994427602d05a516c32bf1

SHA256
b8e659583e9dd500805e30bc858bbd310ab58bd2334de3d43d78621b1d2564d6

SHA512
a38e7c877698f434904b81307dd73580fc14bedceb9b77c79c74f8b39d25021511ba652539ec37b8943763c71b1512810b3d47781a6582a25e59bb3e36415808

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8f22d20d4b16821a957fa325df115fa4

SHA1
73d901297a6e07302f31780714de38ebd2e93499

SHA256
3a1c1ba9331c0962a1f0ece2e8236ce8251c7036fe393bae41e99c8857a35bb8

SHA512
0579304daaaff03d40b28b1b8e1e47cdd1cdaabd74b6f5d25d3e74c818dfd34bc04ac523fe085b050623acd9b797fb8f81067d506fd7d5bcec15d651db5832cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ba44847ab1caa1d7f884ac04eadd0387

SHA1
91c7acc9ff17f3685f11bc32bf222ebb052c8709

SHA256
b552cbb22acff7faa781bf0e0a31eeecfc6e83b6babd2331e29f6d6891a9379e

SHA512
6c7ad9f21f4949b3a947f2c3d356f20906e8d3d113e8cd800f83cbbda3046b31d3e2511319b4e203d7b8f88e325dba494058052a719eebbdb24499e14aed45cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
131c6836106971fe79f819ef61ac063f

SHA1
0e98badfb508b114fe42c7519865e1926dd77052

SHA256
127bcd3a172dcabeb2c5e301415c79bee11a5c8e8d35a08d8596c17253f2a405

SHA512
f231cef599254cbfe7e297246143b31acf2e0c42825da0be1ed708abafffc0746140286250ad318672c5d95567abee00560ba0dce2090f59a0f1b12642bbea8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d7c882319ab6fb3f08860fd159289869

SHA1
9b957f2319c3e687ea9e71fbff68ae269f8611f0

SHA256
5ed022f45d101b59bacd5b8e5a8ff9625fea7feb51065289525d7c9307a4e719

SHA512
d4503b84b46da471c06fa05c281a7a7b85c8cb4ffee554cc7ecb1a0adcc01ada38c9ece9cf1e6baf06c0acb4449480c8d2cacfc9be96975637c02671c037ba7a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c8f30ade2af54bd28622a273a5c811b0

SHA1
1fadbaf78dc99990dbafbfaa78f8ad8bed81f1ef

SHA256
ac45dc7e6b10a85730cd8aac8e87e7b27c1d8f2ff7414a0ad4ac4d0cd7458522

SHA512
c35d311d6db0fef03e2d20bbd24bf9c1cae9e5b675c96bac3700ea7daba8c4c2ecbac59ba9b31f79046dd1e4b0b22b113b32b402a3e904a57b4c9de113e5f46a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
70eff4be13a427fc4874799c62b6005f

SHA1
3711f960aaf2065d48b8f8acbc99a03c5a6a64d6

SHA256
5cf8e1d5ffb026c4bfd415243f600074a64db3b27c5bcf1da7c5f010a4940527

SHA512
e61618408fffddcf4fe01573cf73d2f3a6a41a5023e648d414d29f150326ecdf53ebe9a7901e6de4c79ff5c265038ad4ca0da685d30e0707b4df1d4fcb98908e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6093c1f8ba0cbd726c9b23f91f8741c0

SHA1
4d73800341599486e655a5ea95839c8f9ff427de

SHA256
43c3ad03f52f67335de7145505b2a9571a52c63b14ef4d1e762fac658842441f

SHA512
02422b2b7bfa303fc27ebe72fc5071f56f982700d05c8241e7dc264cdf0cb55155574a058bb2a14f2b5fc62641345e9cb572e32206e6bca68e98332b9fad3282

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
59d0d5eba2de72c0626331e7f239c568

SHA1
3ce83134bbec5b59f000ced7ead4eed0a5d65e09

SHA256
26de877763237090f89b665fb9536188f0cca151694bba7f2b38b6a039636e50

SHA512
9d63be9dcd3f9a3c312910c89b2e7bc3b57f1b76fd0e9ba6ad019f75ec1e0bf8c71d7738af907075bc4aeded10a0699dd8c165fcf04c92f801e9597d18e20dcb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c0c5c9e918851604ef559ca3dddf73b9

SHA1
6828c28e02bec61050f6eb0599de1fbf85aa1437

SHA256
8979b5f1a0f8246ac00116097267d5642c1e3665f559c265616721fde9a8e6b5

SHA512
6aa39e95ae238bad955141fe42a833fc2ef42c295d91e3069866ee46556739b9de97cb2669899c0b38cb24a59089be202934a8286d2818edee3cf16c89bbea77

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6f1ce922aa8365c431a07b36652aca1d

SHA1
90c726ed7137b803fd1bcc49dd42efc2c5960a30

SHA256
2d95ce73431d9704f99b2d46ed7709dc5ef17514ad65a7acd490249984812c3f

SHA512
a82a275d0d3fffeb996172bd691110203c87baa9e6017f4e2ad1a3865813a91f90366bde2a57a82a0ed4ff80a7fd0e5bb8aa8e46e4bb8a5066dacbf57e83e93b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cb9c78c9fea49b88820349eeced90ad3

SHA1
e662d4874d54555e1c7e8dd1295b396957ce2509

SHA256
153eded226895c1282c7b1175e561b07be652c498dc75a8266fd5932a1fbddfd

SHA512
9b2f82df71afd18b0c57fbd23ff71dff5dcc89ede29259b806bb9d5ceaee4cd5af4a2b3d00d519958d8eba100a5bf07d92efe49b2ffeefb83e24028dd3b02e89

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1c3a08bc15c773671dde8b4ee947aff0

SHA1
9e565588321b16c8fab56d078b25c6acd3f70158

SHA256
e38da8ad1b2714b6a9e1321764b2f1288f94424c12d37df1c36d4ad9ca3baa6a

SHA512
a1024df73259ec11ebc578ef4f48880de701074f0d174d41aecba9c1bbc8899903fc56cc77402d559aa6d3312db0479766973bb28bc03c654925960bfa516900

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f558f297dd5de924dda39c08ff8a7173

SHA1
164fa91731bdcf27ec0109489b95197e19f94bee

SHA256
81734b8bcc64d8ee20aea03356437fc5687798a8693226abc51813ae27152d96

SHA512
454c682b15cc5cdf357c9280a21890d25efcfab50b2429c65baa2d795e48ceb2d17bcf1d41bf8b5e32bb4895c5e5db35c3af971ca678a474d00241af9592ccde

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c2457b789405df304981b33f4ea685eb

SHA1
b72a0057a3b769ff46904ea82b141688f580dccd

SHA256
b7fdd8e1b00835b8359b773ffac222994878fe5b44d62a1f1aacd1dcc144a04c

SHA512
0762e10ff023b0ca4f22a3192273070bee9f69b774ed5714a73e39716dd451be56782ce854aed67c4adbb69be4c4733636fc00bbcae300a6dbb1c0e77b093ebe

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
29685be7a3f510440cd162374e76bce4

SHA1
89f196f7ca17642ec4cbdc4a78ebec1295d99079

SHA256
0c33599833d9cce6e296cfcff2ac1299d7542fd25462430607d32627be15b50c

SHA512
9c74c6da512ba9edd58764fa971801dc9f17eb0714dd2b27d5eb0eaebebdb532e60b5afa45c292defeea69925ae3c151a9091c5d61d7350ff1fd5b8e8179e752

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
960ea3122fa8888173757fe9569513a3

SHA1
4073a1c79cfd533823e9fa8065381980b58e725f

SHA256
8491f7242d389396318bcbbda97feb2cd485953247888bc4690ebd4049f51277

SHA512
4b348ce8ce1f0de1ec142e024c1996d7e2c36d8979417ed79a3230b08aaff71c267ebea6f8005c212e3fcb2c8838bc9abe36fbabb66ff3d75109d800792fd8e9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f85a668481642b74099974a99c0ecbf2

SHA1
78c4e10f24057e1e05531778edcaf46393e68ee7

SHA256
dc339ea4fcbac33cd64210496ff64de5583eef4eb92b537915dbdd24c34bdba8

SHA512
0d3cb0f81c127eed6b9ddff77d79434959a8911bc102a54dc4be3ace3ad248768e8f240604617c01c0d90652b3d707b67bee42ad5b2ad71522a6390db70fd9c3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
13ec3c957a82428d1c4b07100a15017d

SHA1
ff92306f2ecded43eb35d926beaf29ae5dc7b6f5

SHA256
168258dffae6c5ea52f8c95f39992bca83d3f1e8eeb4155c645db632dfb6bcd1

SHA512
d8c95a34d00a8f08eeb9fc7824e678655999a0d037f9ae08f8038a97915f17fb6a878262e96299094de1bf4866d0f2bfad4d173641225e0cc5529ad9d5a33f21

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0911de9e0f8b3acdbd8bc6a4c121222d

SHA1
63bfd91659b7ca87f52a069f33fd4b8c6e0c14c7

SHA256
03fb4d4a8f58142aa295c2d9c7fae2ae75e578c7c774c3e457c345267c3fca1b

SHA512
9271f08e316b8073ee5d6282b8c1897fb2b3b3d36d3603e8dc1de8bc4f593bd5a6be2708affb50e177d12414ebac9fe93ae340f5429d8d9741fba4653a8760dc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b7c324a2b36e3b6ee7e9b0baee221b36

SHA1
fc4fe19656806fb9f0736c87043e59ed34c016dc

SHA256
cf9769b7e1ee5ef1b8cdce70da2532320d2877c34ee915dfa49dfb8cc88783e7

SHA512
9a7e6efbf7dab2a4b52cc1b23a02f1281645d44036e750dfacd734a8073af86ee97c5097963b743069fec4ac77c2481d89283dcba62c5faebccedba389c63c11

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9f43ae160918ca1aa4428533887d874c

SHA1
c2ac86b7ca351a6ddd7c973de1706200589d987f

SHA256
2c16a94db5a3028b3c95782e8c603c098c840f00297d327a1181e071eaebc2bb

SHA512
6375a46203ee96034d2fa7e59388822546c72fb705b144169b8de4caf2d5e4a8e63c6ada6ee648080fef1c6a959c2969ff6b8bcc9e37516215fd0076c3d4f0ca

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b280fb4afcd08cd2644f824bf335d504

SHA1
17068b00c0d4bef949375f1c7632a12f7235dc14

SHA256
7951f7886013689d059596465dfbc555490eb0b67e30e492356bd0082ec2365f

SHA512
69cf762df588302ea1ab1731224383b00c71ac64525020d1846c604518263c3a2bd7cf4ca274c7f8ec7ff0176a3b027a9d214e7a725555cea9205180d8330e50

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d24c17f594c6d0c48c0e8d90fd6e8796

SHA1
d84abd57a3ea7df2595335ab77af33c8418195b6

SHA256
925b9154442eeb347126591cd51e9349198aaca7ed20570221d3f15b3fd45ad2

SHA512
a28fee3aa0a5a3f94bce984420502b6229dfac80a12107b00b526fe950f20da6b72d8e9e707c2e75f36e017e158251a2daf3aa4756561a5e08a1b13d41bf7dec

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cef166133e8bb713c7972792ba638e93

SHA1
02068956ebaad0b0cf3130513b3f839c74e4e710

SHA256
cfce64906b045478e22cdce2a41d582f1999c540d6f91cdd20d8d4e7fc677ba1

SHA512
5d1c3d261bd1b6231de4614b53073182be60941a9fa3c71257f7fff287d41af3aa451c201136b31e6e8a0763a4c603db60be58dad2e3b7baef641c8fba0f4b80

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c5ea016a30116ee966ca0b189ad32084

SHA1
61a5d3e8b31b0f093d1c69c5fadf0e2005ff7bb4

SHA256
3e98ec338bc117d614a6c6896040ab180247645de6462d44365d025306986af2

SHA512
95054cedeec4e5d7c92b84192f3425de29127efbff21221048157d7164b7d784655298b8ec2e3af9324030b70216021d94bf8e0706aff1be729da837f9cf4b91

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
03e03c251b94fa3d29207ca798e80ef5

SHA1
e9c7d9f77ba71dd13e37b809f6ae433316371fe1

SHA256
8aeb7a03f3fef91f3aebb3847ca572887c3ebe9a6e77dec14cf183b7f8f2d6b2

SHA512
de3db087c9b18543a9950220366f61b0098bf3b2736df39a3b53ea0236406a765d5f2402c951a1e2d81ffc7b00a981f554ec37942091253e01f9c80b665b23dd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
18d208aae004e94e09387f049d3e2a7d

SHA1
24bde80252ef7549927fb0670f1340009ffed9ab

SHA256
291ed25eb0e7c918010fb35345097661f7c91c1469fe9713b28e4c2ea5d7ea42

SHA512
751d2e9e9232973819215dcc7dd399f4494dddd31029799cdd5b610d87b77acdd3ade88928fdb2d479be82d5cb0ed2e801406d8fd25cd0db58bc07f93f037076

Download Submit
memory/836-559-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/836-271-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1072-81-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1072-86-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1072-561-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1072-75-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1072-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1072-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1072-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1092-206-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1092-517-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1344-27-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1344-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1344-33-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1344-554-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1344-34-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1576-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1576-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1628-272-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1900-208-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2132-200-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2132-4-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2132-8-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2132-427-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2132-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2420-203-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2548-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2548-269-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2548-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2548-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2700-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2700-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-51-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2700-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2704-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2704-53-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2704-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2704-555-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3388-273-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3388-560-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3404-204-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3428-210-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3912-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3912-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3912-556-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3912-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3952-205-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4420-207-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4472-270-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4832-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4864-202-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5092-209-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download