9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

1.1MB
MD5

9e894f9f5fb995c45c026405c38cbbfe
SHA1

43814153b994f5fa0f0436f7acde3a4a8767ad7c
SHA256

9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac
SHA512

b8b66da6a85449e4e98c10781fef5b97b672e8543ebe4b1e0873056bf08c4ddfda166b8cf6e93485936a9177516c5d58d0f1d551d941dc41f277ccdb985bf57b
SSDEEP

24576:wQ818EiYTmp7kHizJyhZApJXNkNSvnTVUuJLinlyK5AFiogOj0SC3b:8Tmp7p6yd1vnteFL80Pb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5472	svchost.exe

Executes dropped EXE 22 IoCs

pid	Process
2468	alg.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
4740	fxssvc.exe
3328	elevation_service.exe
2768	elevation_service.exe
616	maintenanceservice.exe
4580	msdtc.exe
1456	OSE.EXE
2512	PerceptionSimulationService.exe
536	perfhost.exe
5116	locator.exe
1492	SensorDataService.exe
1356	snmptrap.exe
3716	spectrum.exe
4700	ssh-agent.exe
3936	TieringEngineService.exe
5024	AgentService.exe
1200	vds.exe
884	vssvc.exe
3528	wbengine.exe
1644	WmiApSrv.exe
1816	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{069A3B83-AB9C-0690-A5BB-BA95775597E3} = "c:\\programdata\\{9A8A13B3-83AC-9A80-A5BB-BA95775597E3}\\3735c32c.exe"	svchost.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	1.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1.exe
File opened for modification	C:\Windows\System32\vds.exe	1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cfd6ce056707a3b7.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 5420	1068	1.exe	115

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90156\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe	1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000193d6cb7db9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c40eb7bedb9cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b905cbbddb9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd4f36bedb9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000344388bddb9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a1c81bddb9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000332b3ab7db9cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000321565b7db9cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\CLSID\{C0AF344E-A451-C0A5-A5BB-BA95775597E3}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\CLSID\{9A8A13B0-83AF-9A80-A5BB-BA95775597E3}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\CLSID\{9A8A13B0-83AF-9A80-A5BB-BA95775597E3}\ = "1742834533"	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5420	1.exe
5420	1.exe
5472	svchost.exe
5472	svchost.exe
5472	svchost.exe
5472	svchost.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5420	1.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1068	1.exe
Token: SeAuditPrivilege	4740	fxssvc.exe
Token: SeRestorePrivilege	3936	TieringEngineService.exe
Token: SeManageVolumePrivilege	3936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5024	AgentService.exe
Token: SeBackupPrivilege	884	vssvc.exe
Token: SeRestorePrivilege	884	vssvc.exe
Token: SeAuditPrivilege	884	vssvc.exe
Token: SeBackupPrivilege	3528	wbengine.exe
Token: SeRestorePrivilege	3528	wbengine.exe
Token: SeSecurityPrivilege	3528	wbengine.exe
Token: 33	1816	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeDebugPrivilege	3260	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 1068 wrote to memory of 5420	1068	1.exe	115
PID 5420 wrote to memory of 5472	5420	1.exe	116
PID 5420 wrote to memory of 5472	5420	1.exe	116
PID 5420 wrote to memory of 5472	5420	1.exe	116
PID 5420 wrote to memory of 5472	5420	1.exe	116
PID 5472 wrote to memory of 1068	5472	svchost.exe	86
PID 5472 wrote to memory of 1068	5472	svchost.exe	86
PID 5472 wrote to memory of 5764	5472	svchost.exe	117
PID 5472 wrote to memory of 5764	5472	svchost.exe	117
PID 5472 wrote to memory of 5764	5472	svchost.exe	117
PID 5472 wrote to memory of 5764	5472	svchost.exe	117
PID 5472 wrote to memory of 5764	5472	svchost.exe	117
PID 1816 wrote to memory of 6092	1816	SearchIndexer.exe	118
PID 1816 wrote to memory of 6092	1816	SearchIndexer.exe	118
PID 1816 wrote to memory of 6124	1816	SearchIndexer.exe	119
PID 1816 wrote to memory of 6124	1816	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5420
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Deletes itself
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5472
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5764

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:616

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4580

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
d12b5814a295b7f867aae72b9d4747f0

SHA1
27e567e396711e69c75907dcdceddf4db09a19a2

SHA256
34b2cb4651899076479951f9af41c25e98c8b238ed075b98b6bd90498691dba7

SHA512
20d35e8c55cf43a2c137003afcb55839a16bfb6c87f85ba93edf09466fe7d711b6fa2e9d8b143bc5e76d935e4755a81d870b89117c3e0c243dcaa8be28a6f7b0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
94bd9289a39d77bd9de81746613b34b2

SHA1
253990a5497525565ea79bc84e4e44eec9dcffa3

SHA256
626a16adbcca13c29f70dd2f3f229577d559344de7924a3a392f9483a8ca98af

SHA512
2cad180ddba0327ce0d920eb2a431a62c0fa5f9f3738f78b491adff7b025d12106c7b3c02f9fd3e347cbf75942adf2abaef862366f9b87f3dd8622f9f2579a91

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a096d21c5cea81b7abd419ff0d2e5de5

SHA1
00d5349dd27637c53cb16748df6b0ffbd3c1be9c

SHA256
a6d613560fba3c3d368c8ae53b53563bd5cc8bede9346ff0205ac4f8da482bf6

SHA512
c5a8fccf83f627e5dad681682b3606adc15600e251b2b684fbf57d8952f125a2da70041fbbadc3ae0a7a1c28695d994255a90f859aed8b8fd8be71036de1ab32

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
62ca7cc7351bec4d55bca3fcd2c93079

SHA1
7ad2e5316f3cfb6a8d32af300ad2604362551735

SHA256
af23557271c206824090762bdb5faa415f5224f152b763f2046dede08e3ecc10

SHA512
8e94d7e42ff1dd66eace488b3f80fda8dd5655bd906c92cb72a0f8c7472efa7f2f95764ac1b389b6e6e69746de8d5787971af655a5cf2b447f8c21a3049570c4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e27ea086bab9fd0870b54bee19f51c23

SHA1
1cd02d92bd4b089580c88f5698656e15e9469313

SHA256
6d1af457b096cdc92ab020c1c18595f78523289d3ef70a5c73b97c39cd2a0e14

SHA512
d20a81a5a4f74b7b3c884808847c39866f6b5f5ef8839462fae73760e3d6d560049ed9bb7d54562f8f9b79ceb30df3c73c9643802c4cb1726b2e752489f4f4ac

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a9626703434a1d6ef4a3bbdd558bc6d3

SHA1
011b7462a3fb476cf40c13ecd044cae81eea6536

SHA256
a75acfa48c68994f909f5f4f401ed9d17ba91b02c5104fbb7d0b685a0e91baef

SHA512
d9792d0d26ab8b6465b17fe985465c408b9458e168cf0053ae6baf0fafc03eea658ebcf62dd411f26d7d4f324c05b5b5f69ca5a1c2df7b75ba34607b16dfb909

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ce4e44c440c34e3eced8461bc86449a9

SHA1
367f8540b5f2ec9adc86a05549f965aafcc02e5c

SHA256
bec7b8dce8feebc1407428b0c7b65dd723594bb701d7da8eaf0ec5cd10faed38

SHA512
a10d779dfae42ce574db3f8824ae086ff7d17bf25ba7740e1dd5b144b1201cedce100d5c4aca5bd2bdc3cb1c0115efbebda3e3dea5aedcc74468a1bb77cc368a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bc02fe4eb99e37cda38b334dd677621b

SHA1
f752639f37ee4609db3bd2797b0ad83e5ace1130

SHA256
be1ab9a7c131217d03d76cf4d18ea44120fef2ed9b298bdac8d8bd6a22941736

SHA512
56c276ade345c52e4a7fe9c32f9d8154b41c34bdc2206d3475e765c5c22e3facce20ee180f9841c668374c3d5db63c57242c3fca34322a2a60d0c407885c0338

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
a73eddf73a5d4da8dc20f5b85a9f1c63

SHA1
c1ebcf718afec83c0d9a72963c3c0f9410cb5b11

SHA256
1b89acaa70ee394ad4e0a2202693b94938e81df867c60839113a6e33c26f02fd

SHA512
54fb067c751550b8c478dda0b981c9d60d12c717c982f43ca993b7002c4e4a816d03ac805da27966c794097d1f351c5541e48d7b2e04ac0410cd2afd4aac0f81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
438bd2d5e1afa655f3e65bbcb9f734d8

SHA1
cccf41fc5c26370a6e83d85fdbe731e850c371d8

SHA256
9e842d89b556dc728845981622497941971ac289ff0a035992a7dd12823a5d48

SHA512
216222ca397161ed9214bf90e58addb7ba7ef83225e7d62cc6f5bb015339eb298ccdca0ebe9f6f0a6efbcaa0443bf461e665eeb68e3285ec165ff99d0fb7c192

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e774635cec196669de73fbf349e176c7

SHA1
e6abb4d30bd339bc2ba2b94b0dc78791ab496ab3

SHA256
e1901a82756b4d63b8edabe6efae74d90d303b155775078056e299e95de6a9b5

SHA512
4ae279a7a4d0546ec9cbeaadd8d2fc1628e64ea48c8ef1a1bf22f429e7a1b0afdda58120e3fa0f89fbd0a2fd03965745d5df19d46e9812b304eed7d2b3b27256

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
325b6009387d4103d6c4db64f9e88cae

SHA1
010ce24b1e668a3e81f6a564d333f7cc8f9ee32e

SHA256
6a09efc5d5fd4602a5d1b8205d422aa37f2355701eceb63d9c9c0b20204d2963

SHA512
abecd3aab1dc76d3c448cd1e121ada9e0494ee7105412966f5e0bbc371301145c963cccd68951cdabe55d09ca4bafac0da1854a1b311ac839bb4938be75c864c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1a164ec5f68ceb5bce6cc07b4f23fc8d

SHA1
beec0a603d1e7b1e610a02e8bffa39ffe582dec6

SHA256
813228b4c1f8500d8d374cbd8875cbd73aa75f08a04614071881dba6ce1a4909

SHA512
1b41892fd967bc7f496e4619e323d0741550936a4ffbe6a5937e67badedaf5c3df20c289bb41433a82d1b804392aaf15ba9c102e8839ed8fddcbb20362fc556f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
23d3505fcfdfd40835c6b05e86aae7fd

SHA1
6602b66ecf24879387b3342d83358a5b064c95a5

SHA256
d1c4fe51af79df39a9468bec06934c9e2f5020d0a15b720622ff1872bdf602fc

SHA512
2b306b22ad8dbe0e88b4f06a71234116813a542539a2c04c415fafa35d62258308acfeca8a9b962172aac0f4742ddd4d4ca5c44ab3086beee73ba31abc4bcd7f

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
1b8a563184046f68a6dcc3cfcd46ee24

SHA1
084393cb9ac926e17a30ab2ce5aef3cd8d47a4d2

SHA256
8870e1e18725113ef1aefad4a24d93706c1678e2b32f0957518c20c74a5230ae

SHA512
81549d309e759556f13d781d9cbda5d54e20aff3123c5759f527acec378b50ffd39f40088cf839b4699bf9cd96c7630b9d13c73b50c30e8d4c1ac521982ad27f

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
3e8b3ae456a21433955940d9e14d57a8

SHA1
b559eab781ec2cbb44130a39fa4232e834bad2dc

SHA256
11609cc61c907573afd18bc06dc1f065b87047b9f8a9f9b7e3f547f16c91b44e

SHA512
8db6ccc1a26013e6c5eb38aa48dd517e44dfe3ab509d1484e6988e968ded2d28bdfebb10b395b1f11890ac1fe60beeabd3ff6306a28ec19fd888ebf422527566

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1026af879f05276d4362ad57dcba7dfc

SHA1
03de9b74dea33d6cc4b92805671f293f6cb3c7ac

SHA256
6f2fd590dc54150b7f39e81194ed1692fc3dda01ed2e17141c58b4a0843206ad

SHA512
6e14e3e7ee3e433fa3a2bc84328adc644057442bf9795ba79c887331874b8d2df3771505d8ce3a5a2f6691e8d2d1cfc436c05466e0a18a25843cb18f910b935e

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
c7bff8b7673c22154402f17bb2f466b7

SHA1
dd404903fa46a17df42708eb15cafab5f0a6ecb9

SHA256
86760648a8e2490aefdd7c87c6c95dfa23dc3f8ca9deba7c74d9380f49a4c344

SHA512
9a63d5f3972bb652ddadffa665769f4438c6cea4cadc1d79fd29d7a789d62841f81d7fc0a6444c4e21fed3c6c35ac642bd8759ef27647e4ce604cef4ceba217c

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
5e54332fda6ef9a47389a583d3074ca5

SHA1
b274c120c4a1e6a515bd4cead93881837944de27

SHA256
c3b4096c4cd6ff33e8d1560968518d85a5f3dbfaa451e7984d597e91c40d191e

SHA512
3c6132e9b609e9a539b8c2d0deb77ca5f9db7aa6241e683a48f4191fbc8b52a92acb5285ba61c0c5d7b347ec9fd99f3a3a4729880c6e29b0bf950984927f0928

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
a7d9ddea898f7901e94e5cad553bd654

SHA1
5f23be6b2f3c020976e95792e6211b27f42ec2d3

SHA256
1ab7042aa877fdad649596e1780df16f3174508d402d51e9fc16c3a488f6b327

SHA512
4c81fc2edb9e0bae84e92eb53e7bb7155f7c165a9fca691c3c22b93ca4a09a9ea0be6ecddc2eab2d4bb5c219dc670144e45d3294e8bd61e53ae76aa1891e197d

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
c369823260c6db250c8cb32ad0c10394

SHA1
d6a774c229f48de704f5db23eadb82279f74da06

SHA256
2bcfe1ae27cb4f4a9d6da0910419a6bb5a5952db8ad1a40957202fc6d94d376a

SHA512
3725f1cf96160be639cdb8cfd288ac55cbec9fa1ca290312bcd947a3557e3b530777eb195a3e84dceb5037cf7ed1e3c9b8b1e5119d6e6ad29c7ee2cc91d01b9c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
10f01d0874187ce92d4bc9ce53f16b46

SHA1
397729d6521e9d8dc19e790dffbdc2699c613eeb

SHA256
5e58bf98bade8a3cc0d05e2b86defe9cda784516be37b4dc94d078847ff2fc31

SHA512
14e20c20b60d4bc512cbd15b76fb5cfd8bffb5ec28f855df862db5b14860a6d26a49e4fae9fa451c446a839e757ef813b7579709e678bff9dad89ef8068e8f08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
3741dc344007eabaca91e9e4d7330df3

SHA1
419beed33fa8dafb8d35bb48d52657e7169d6910

SHA256
609bd00b79e4ed1d14686d02d035d49d5d4ba5a1e765ebd3512126f380f3cb5d

SHA512
1b709a3ace8e8f2a81f4b0a4cae7a42951e11b7f5b6119e9334ab5c6add1ef2e3473d020b5e2246b359538e8c0dd5dc4f4b6fc62b9a30018b5106400a89b9e63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
8b679ddfc730a84e8963ed8d63885412

SHA1
f2fe789ad64b9cea2e72da904e703f47825686b1

SHA256
7fed13879034dcaa64bb7d6e985aba3d42d06b50ee446ff52d743d99c8e12922

SHA512
62709b033f31f7a2d5e2862a1d563284e8ad37401961784afb36d26e1991adfd01f64b72b5ebb7531756e8fb1210de8aeb14dd889126cdff4a68277759607bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
57090e6729a2998f8125274e35bd80b6

SHA1
ac15dc594273b31306a9eba606eda2121b3de6bd

SHA256
9708e7b92b2b791d59156bf7ba18827a07fc1d1fb621ccfee0ac5a25c61f7adf

SHA512
9517f4d5618f44e720061c6a6399e5915c444c455120fce04c6c1ea0f08ad59e11249c789e5d9e7874e19b565ac10a8f7f5b49dd2f97865e5a3ca78b4327cc45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ddcf1508c6bca2e4023f4be64ee8db86

SHA1
9fcecc5a12290fbaee189f892e80979323de1776

SHA256
0067d3e7371ed79ecb5a51452dd11c84c9d02b7d461e2689820539e768f53ac4

SHA512
a5cdce52469d7b04cf1e4917e19d8d5182706314efb4b53060879a926dac27ca4fdd173f2838ecbe20f8fdc6b57356a6dcfbfa4ccb947e329f266476fc49b988

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
cb77bc833a1883c0f8d2cdfa4a331235

SHA1
2d17e4b8c80a80a98ffe28be23e273fe8cfa6d56

SHA256
d4ff850335a55f58db82974deba96ce2bbe38706a4540cda43226fff3e8145a8

SHA512
6403ff935fff03deee47ac834a61d17b60cb9ff57d67f7c3cc7dcfdd2d671d3b13f16c22661a6023fa8cd34818169dc77f040b06813dec53036dfa580beaed71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
166693fd93369ae5841811a7fb5f869e

SHA1
d21de7dc829eee3c0bcf8c8a87819097c536712f

SHA256
0d7f28fc5962c004b8bd99cacd6e4763fb12e22b4b604b492ccd2ffaa876905b

SHA512
8b949ebe9461abb8c9215b2e02f38b3facc20214c686e6ba334f1c5985cf8a8710c4af672d32a4937ab5d62359586294f173be8124ec17b8678fa563853ad1eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
f9d790fdc0daa23f53b64d3c6d3908b7

SHA1
02209912792ac55423b5a8f4e1c93db7421c4b8a

SHA256
2b19be7e46c17bfb41b52282be89b3c11f7ed72fa908908c50b53f70f5d6d344

SHA512
37dca89c79331ccd4ea8fdb71a6e00e1ca4203d38d203bb1dd4b344e61c08fd925c4330757f3879e0dd6b3d5fbe3b5aef440ac218a4a5c21a608a57497dcfe4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
ddf474cb1a738a1d851f6bfd4f80ec2e

SHA1
ebe99654a0ba362995f91ca642bbc7da98b7c029

SHA256
1faff928ffe47182cd538aff6663e831535c3308f3ab937df9f3fcd318c501e9

SHA512
e69d3f7b108e052f9f70e9f5ae8f7d4ead25672aee9bc08c1272a1e1cc6d2b2f71423c2fa6d4fd349ad339871add1ec273199a7d62ab9fcf6232a0980c933656

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
b6c26ec443b0a179698da7292f539bd1

SHA1
5f908be509fa01551445eed6b6cfbe624724d98f

SHA256
b52449dbbc510e9b07606bc7f4b825f872e05f536c3dcd78b447869280c77e1a

SHA512
1d85f737b0535f06bdbb6a4c3840588800d169c274b1a2526895ea9bdbd08177c9dcd584689103ff7d744151323f06176b08842ae721183cd5f5222e8e6f76bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
8d19719203761b344da0b8bdd5284c73

SHA1
0169cae0eab685f2c3fcfaff4d58b8b5ac1b15d7

SHA256
49b07254ca477d787116604ac06cddf818f88936b353f2fcd1906ee163fcf8ce

SHA512
30a41aa9d368bb9ac8fde80243f68ed80edf5ec7521f1a9537caa93a011336cccc6440e68b7cc039c44b9505936965a9c6fc7fbbbf9605f1b01b03fb065485d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
e69f1a5b031043d91168d9deacef2894

SHA1
280bdf7b88a0314e2453ed451343ffcca6f7292e

SHA256
2c0380fcc57c5a883af5bfb402664af674ada4c9dfcaa2be4ee41de15c17a6f9

SHA512
4c600bd1e98696e8ce78216c5fa21d94f2257f23bf6c8aa12606118fe449c2aac98a2d41571e11855548c097f860b983dc22af03a5196e111e5f6a9db7dbd8f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
83e2aea5dd68839436ac553bba290630

SHA1
23bd9fceb8038878b5c5d7b56db1f0416e790052

SHA256
57e562506e60a5c91e50ce1b5c8d8a35903d0f1da5809e8d90c3b7464acde1ce

SHA512
39ef5185a505df4364c64f8226157d6b0ae9e987cde949c98a174a39f9b2b7e23f655ef9299a5001b4aa8168961c142d93b786283c31cf827f2875e2feeb30b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
569ee862f71e5afba24f9d981dcf53be

SHA1
85a2729ea7e1836e341c51f3bbe4f1fb932248dc

SHA256
0ab1b11ebf1d762bda855687651fc3e29b08d2cac48399ed7cc991d2e26b63da

SHA512
f18ef8232e5ecf056392554963d0fc41a3a465eda42e6e91e0170fdefc81e40e0a95807db3928cef40f18c417986acbd78321cf4b0bea3ce1cbbbfdabbfe559a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
e16f8ce6ac80efe0e51693ec1d995068

SHA1
d654140613ad0a06e8116bcc0485bb67707ac46d

SHA256
bf53e01f79de995c31b81837ef930079070e4c279c3596b8f7bce9e396a56789

SHA512
f649c7d46a24008452474a0d3428ffad63db433efd6a5c708642dac26706782f39d28ec7ee7e2e64ad2fd74a982666a55e1fdf2dee430bd0737a327c3e4d6724

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
92bbdd880efbf55979560cceb560eef6

SHA1
fbe364504cdf5ff2b32614c049d45817b06bec1d

SHA256
c76019d4026ea2efe4f7002c1de18804283bd1f552aa82e320eb317e6117a273

SHA512
c311ba47c8858912bbf838e69345126685f18fc88b0f255a2a5b2a4b29ed8e727a355642e4cbe67b14513616c9e5f9b750be72b84aa617cbc583a5bd35ad2ae7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9b886ecc5dea1ae5ad576d7ef2929f58

SHA1
47cd03264bb0805df1e86e2b9e003cdb709daf71

SHA256
eee9e758e5d2c41de012c30f5a925dc34cbfe96863c8eae33a0cb25670505a7b

SHA512
a0a2c43d23bb7cb3326341eace81ef9b1e503b94f7de4fb0da2fd3985590fa8a891d465548e6f05e0558a9770635494d3331f0d5900a86935c3e6cfad5dec362

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
cfd4a8f7da6955ed92afdd6bd5e48d41

SHA1
88829dd41f13941a56e4fcad89dd35b5b4a72958

SHA256
0e0f2a4889a2858e2c92ef80eb22a7ab543ef99e760562e6b6d28d2832c5a555

SHA512
5a5f9e3469d5415a892a45946ea86e94d42a5c63416dd87967ff03de39e2a6ea4efa5012f386c25349ec76767f50b49fb29e4b053e7de808503d88a345bae8c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fdb0f32e9d9893631b71f4ff3d108e02

SHA1
23a2bd0db5d866fd132e972ec9c698a2e352d78f

SHA256
3bb7822bc975baff7410884da04ac966ac01bb7d4cf0d7b35c134db0059b73b0

SHA512
4da1de3eafccd93f4595ed016d7551f9931da6f8f6ced9018d47c7c685a9d1f3ca9ac4d3a0a868dc675b789e91676abe6d9adf79bc08a45d89e0fedcfd0ab5ec

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4e7167cd2987cfe452f61b1a69de0c52

SHA1
5fe0d135d066293417d0a278cfec08215a36145b

SHA256
628dfb89c3fa68564452a3d4d54fbeed45a8cd21b73d5742b92c2fd126ec1e7a

SHA512
b7d6c9890c20a4c3e240f77a3d33103401ae468a4c3ecfb57e96090a77c7bd8db66e554bbbc3ae589af502463c6208bc5109c1624511f74c16a677190ebe9cc2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0eb1e4e1567a0d0b37c650eee3ddff8a

SHA1
f8830178d49e2a30a34f0364136ae7d44daa72e2

SHA256
33e50338828687fec8159268561648b8a14a886944f283714333d0b7eef116db

SHA512
d08f33eb7617cffa8aa2732f60ade88486999996b94d4e1e3e13072c204e5208e9abcd0ab3c6b7ed00c09e776995a72422a8ce14996fb9fcec69e7f90e20ba1e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c00fcedc138e5182f41815e84860a43c

SHA1
34577ad9b44196cc19979cf018e49ebdab4895ee

SHA256
1d569a6d0c9a09579eed92292e3e3f75455771494fd86135da9979e9ec2a6fd3

SHA512
757436bc4a726952b04d2aeedecdd1a9f301798b88dbf60e7ab5a7251680b025868589f921c3e028785d439f4c87fd7ac8d67a78327ea49f90c86cb64b14baa7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
e854f0c1b65e69ea9be4ba5e5f940fc4

SHA1
3b247633aa2b904f9d0667ee062cbe7b381e4a47

SHA256
7f3eb6364070764dd69f59e6c755a147beb2431ebfce78b255b805b0e5300d05

SHA512
4034199936957f204c447b8c9977d3d66c21ab9a637fffa21a83dbb7eaf859936168bfa06a7f52bdda26f4aea9eee84cbecc5bdfdf9ba0b985a686f6c1d1284c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
01688e616f71317c75d34533f7573214

SHA1
e5594ce7a3cabf12fb4065d4332e4ea8a5d8eb70

SHA256
787355775ffc852bfa47e069a3744bd8271824bc6fdf822ac88209f374c39eeb

SHA512
b5297e9cf1cfecdceab84e99684034e6944cd57fccda646898e56739939917617bf7f8bff4882e07a04f83659da545cff23332b00caba93bc183d8852254ba64

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
357fa711914357f574416438f20acf7c

SHA1
7462b4cfa3639465145aec7639ab04db2ef7e708

SHA256
7c3c16e4b70cffaa68fde361d339c33cda3001637f12f6462c175e37531d528c

SHA512
7045709d6e19cc9968ad08561b7292683c90434c7f04881c3ecbcac75858da7173cfd0f8969ff16c141fde9d7efbbb5e9cc8992422c178a6c1b0a26c0334fa73

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c2217094ac286d9ffd1ac72f0ff88dad

SHA1
eeb02fb134d0950a92f5ff956f1f43cdc885e2fa

SHA256
34a8c6244d0a12cd5b67644363166d90364fb4d7a0b8215b8a85af99ca225e54

SHA512
b27b6c87c4ad5d519d93e5270289430c627c0a9eb36cf51912b4e3dc8331775259acfe0f70853eeec1d52a7ebaa2267dbef2ec5126d09a92fe66c498058d072f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
48ab84d926132274d24811ec0505b2c9

SHA1
1baebbfeba32f2af143b40ab196e32643e43ae94

SHA256
ba49f1e7cec053eb7137a568bcb88a7cf360b4312e00eccb926b1740cb7de199

SHA512
dcacd3a9d4c924f0d05e929c3343a2027caf3d3f767ddfb5f7887a9e73f2b6db878069274d5766a8e530e15a675416d941381e49f4bd0ac7048cd2177c487633

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f130b9f90a196607f1e480caea6cc06f

SHA1
b3453794937d1e75c5bcf0adb006a7071a240675

SHA256
2964d32b44e6663ecca6759cb237d52ca68533255db9bc5e8d6609b8bf7dfec6

SHA512
be5c65df021a5ff8b8f1af58f71779f38df7fb45e19b10a5e553b5c6bfa43ea0b5e0601f4115cfc67b4a1a3ceffe35c8c5343ca62a6293477ffbc02a9184948a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1790735768a69d4288307b3580578ecc

SHA1
cb14c41a82972d1da4b7bf0d376e48477bb417a4

SHA256
8dc18048a7b3575a75fa01ed619b2dd44748802da17f1d4060d21b8c2ff966d1

SHA512
c56df56a948a051c6395bf12a335484744b2f6f1ed60cdc90a8cbe6e40284975a67b3d85380c710d706cb50c65b3962c8934e9d1d60326b573ad57bd46f93379

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1e44e859e78f2a8d45a6e9ade311d00b

SHA1
51b4a61799ff459f90607936f7db3ccdd2da434a

SHA256
d0921a35d2b8ad221aff7893002f2fd22790fd4aede3211dcdb08941b94239c5

SHA512
5416eeda724bf7075ec7bacec1ced81b394af5834fd8ddcfae961bd71ffe1787a4409644078be02001b488070fae9c7e8a4e7f5c28c67e554abce022a39f3fff

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a6776c7e29a3fa307561a5cdd08f950a

SHA1
fdd15eeba4974d9784a1e31e1ef5dde1c43faa30

SHA256
a839b1d9ee1fe4a165509fd545857d5fd6f5b59243a54c2f571db6ed3f25d86e

SHA512
134f73d6ceff21f3ae6e705f5510be7cdf5fe23bc73d5d1dada028053499e5ba92c86dfbac0d105978837aa4cc8d0a4716710a5b44914c3662c389d516e98143

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
90e21f6600b11f23c0e4c5bd9e6d30fe

SHA1
f757409b47fadf250ddabf6ee2e9a9da9f294264

SHA256
caf090ec6bc7e16cb614a20c737bf1492a56d9dcaa33b661baa99bb349652811

SHA512
057a403b72f880ff3cff0a8b0fe3f277a9389dd193b8b5d821c3e0fa78c8cedd5ff2f5ab3e10a2c28fe3598d77b84e4a306c17f64991e0785899338fffa3791a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5105053cd8f54e2e90c97a8e56eda7e3

SHA1
2e0e6a6e2f853d82080190fc349d7231bf4ce782

SHA256
9bd1c5fcc9fffbade399e77038ec96e4bcb3252b843d8bfe01340ac0d00896ab

SHA512
7f8144c6edbeb203bc1424b6894c53b427ec06b487eff5a8ed6cbd95f237b41f4e50416d4b6b6f29b7b540ba3d049f0c1deb54f2ce9befa962df0c05b40554a9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
76e13e1f08f8434fab03b8b3dc81d3d7

SHA1
e9b951e8624e9a21ba52e9f80adf2ea73e2f8e7a

SHA256
3fec71e98903e88bb03009974e6dc7f0e26cba53abe32a33f51d5de4eb82bf4d

SHA512
ab76301733cc33b0e83d3f50c1fa576e8e6034ee36473206d02d0d118cd25b560743c24060635011d6e7e4bb46d614586e96acc9267b8e87ef8b6c9aaac47a32

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e75d631699ecc04f9d259e4860d34fa1

SHA1
a9729638e3af50c76b6d4be3283e6ffbccfef05e

SHA256
b6faffc1aa517481c2fd05c119f10fd1df01108c4c547860f9d78fb57850b1ff

SHA512
f612e55513ffe62f5467df02561b832d9f206c5c4c9b50ec7ecfe2be78b6e94f362ac52e3b2d5f8924374243d47fa38b16798abd3f62440740ec2efcdb0319b7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
91fc86ad82fd31dc70089ca2c5ea12c8

SHA1
97d467b743cf7c426a4017bcc932036d9f5866aa

SHA256
068bd220f4668971a151ff9990d24c1d95f3280338d9ea8c4e45d080d76cacda

SHA512
cc59aced480fb2a1a747f905cc4ddbb5154dd5a1a4da4e7dab5c3ed9c082f6fa15c5a5c042a7a96698d9e441bd2b871f5715e7085b78b46df708cf04915183cd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ff5df22cf27afbc75f0f07ea1bc69de9

SHA1
bea5548b771d60aa6e2d12309aef47d33e2a6cd9

SHA256
787733f06efcbc9b5c0949a3b034ef50f31b4d6df95f33a886bbb55a9ff4b2d9

SHA512
b0a7e7dea544845adf7f71676bac64f97d76ee93953856dae5eeb10c4a6e1b7c45387e1b9167698353710b7f456a274ba21f3974c38e7795a84dc022f1e63d2e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
248d7fcea5c910bcf0e923422e5bbe74

SHA1
46f146d4663043be259210f626f7409cd6c2dda7

SHA256
93157398b5c77eb5d5d8a7990293fa214a51b6e8079dcc200972d442db5e5f9a

SHA512
a9171bedbc8f82d451e9f92056adfd3a2c0c0e643816f888a7cfbf3a202609d4a1a6b0607a587db4c160a0d232b406ca1ec1c1021d854be98f847c78e3a3b0b7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
eab2c904e49da9fdc825b8fa8479d3a1

SHA1
71175220f27910f613abeae5ece02cd66a0ed0c1

SHA256
e53bbe35908f1012a0b29bd724a17a5c95bf74e39d91032c405f8c923149f976

SHA512
2ea69854f3155a3a8f307c2e9c8e782c22384359aaa5565b5debf79f5e2d7a4df6869dda42101fa2004713eb6f35cc95dc81c3261e1959541d3b2635fc3bae58

Download Submit
memory/536-128-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/536-266-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/616-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/616-87-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/616-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/616-83-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/616-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/884-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/884-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1068-393-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1068-6-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/1068-0-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1068-82-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1068-8-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/1068-2-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/1200-253-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1356-161-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1356-429-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1456-106-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1456-231-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1492-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1492-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1492-519-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1644-267-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/1644-553-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/1816-554-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1816-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2468-20-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2468-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2468-90-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2468-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2512-255-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2512-117-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2768-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2768-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2768-72-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/2768-185-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/3260-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3260-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3260-34-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/3328-53-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3328-59-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3328-172-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3328-49-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3528-535-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3528-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3716-498-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3716-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3936-532-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3936-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4580-208-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/4580-91-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/4580-92-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4700-499-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/4700-186-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/4740-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4740-37-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4740-46-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4740-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4740-50-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5024-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5024-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5116-279-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/5116-138-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download