e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
Size

625KB
MD5

7d381d1a7ba9fce6545bfad1bafd8fdb
SHA1

b926840bd1460d1f4656622f7bcf064be4f360d8
SHA256

e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4
SHA512

4b78cccca0bdb5c6ffbabc595ad4dac89ba5f294ba87bc9740187e5cbba0ad1dfc25a1b19e931efc3b080f823940c1d23a3d14c6178242af7a647a4585bd3e36
SSDEEP

12288:u2WV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMsc:rGVg9N9JMlDlfjRiVuVsWt5MJMsc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2712	alg.exe
956	DiagnosticsHub.StandardCollector.Service.exe
1620	fxssvc.exe
2004	elevation_service.exe
2520	elevation_service.exe
2384	maintenanceservice.exe
3772	msdtc.exe
4612	OSE.EXE
4744	PerceptionSimulationService.exe
4788	perfhost.exe
1748	locator.exe
2548	SensorDataService.exe
3160	snmptrap.exe
5008	spectrum.exe
3800	ssh-agent.exe
1732	TieringEngineService.exe
2224	AgentService.exe
2372	vds.exe
1308	vssvc.exe
4300	wbengine.exe
4644	WmiApSrv.exe
4684	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\locator.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6eca8307c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\System32\vds.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dd92f4a90a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015425c4b90a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dded24990a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec50264a90a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000241caf4990a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004336ae4a90a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
956	DiagnosticsHub.StandardCollector.Service.exe
956	DiagnosticsHub.StandardCollector.Service.exe
956	DiagnosticsHub.StandardCollector.Service.exe
956	DiagnosticsHub.StandardCollector.Service.exe
956	DiagnosticsHub.StandardCollector.Service.exe
956	DiagnosticsHub.StandardCollector.Service.exe
956	DiagnosticsHub.StandardCollector.Service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe
2004	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4944	e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
Token: SeAuditPrivilege	1620	fxssvc.exe
Token: SeRestorePrivilege	1732	TieringEngineService.exe
Token: SeManageVolumePrivilege	1732	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2224	AgentService.exe
Token: SeBackupPrivilege	1308	vssvc.exe
Token: SeRestorePrivilege	1308	vssvc.exe
Token: SeAuditPrivilege	1308	vssvc.exe
Token: SeBackupPrivilege	4300	wbengine.exe
Token: SeRestorePrivilege	4300	wbengine.exe
Token: SeSecurityPrivilege	4300	wbengine.exe
Token: 33	4684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeDebugPrivilege	956	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2004	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 1316	4684	SearchIndexer.exe	111
PID 4684 wrote to memory of 1316	4684	SearchIndexer.exe	111
PID 4684 wrote to memory of 2584	4684	SearchIndexer.exe	112
PID 4684 wrote to memory of 2584	4684	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe
"C:\Users\Admin\AppData\Local\Temp\e6c40881d093688b96b6a33f081e9de124d61160c10e3b06f33f9eb69e5dcdd4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2640

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3772

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1316
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fd600efefba86cd53d8ec3202b231014

SHA1
9a6210bb5a61747160d030ade82572fb5ddb1f1d

SHA256
88f6c9ed5f5a93fd99fda42160b1318bfd628eb484cdf5acd1a894ea08a6dc7a

SHA512
053d379540ab68e7f64d85e7d22abc38424bcd9c60d7ed24b432ce9c20aec0b8b780307dcfa55780174313b72eafa4fb28573f923866f9d08e780535f56a4588

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
99b4410f60e77df496a18eca6aaa2dbe

SHA1
f3cb3aab0f111e1ca5fcae87956096df6cc4e121

SHA256
f2f21ace8302dfbe45c071f0c90c7d887fd76d8f1227901d7785c92f55d585e0

SHA512
b1b30778050abfce3f1fc66d48ed8d21e3daf20cb179172bb8d3d0ad213e561c1f46bb7e1e535da290bd6388be1daaf7961f911f97428ed0ad20cfcfc834170b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
79ddb237c4ad513b5b5c1c8d3f179c48

SHA1
48ad42eb5c31a6d75d3e049c99cd8ee08b0f7b66

SHA256
a008968db4ef4e2d759c963b5dfe3fdc43e306a4ba27fa83b24aa2562d26dff9

SHA512
3517a6152be1e80374c515e808e305a067b2ebea71a2d6ed9a8d25f476c0f4d81ecf6da567181fe7f9685898cf79fa5e888bca4afc06ea75b86e3d94fe52413e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8a9e6032178847ce6db778430459eeb8

SHA1
534c071669e4b1bb863ef912f8d2adea9b4fdd08

SHA256
91a2f85e43246e7819e6a0faec99db0f429ad81078fb925955243b350e906830

SHA512
968cf11c25ea2f517570b949b40d0aaea91f69af5c62b238d92362baf462d9c731557db613a6d574a711c9dfc7051e76b7d5dcea7f41bf3e622c3002c24f8537

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3112b0380266016b63077372f994fa4a

SHA1
7c3f98e9620acce2dad474b155948b144075e6a5

SHA256
6509cdf1966d4716a017cbde2beb08421f1ebe30827b20dc21b692145020dc68

SHA512
2ebf1d9c50bb9edc64a4aec8ffdc1d460f9c9bba30bc8d6e0541a4c3cea319c802d3cf4072681f1d21abfc153574d194ddc5852431235b6e81200406557684e7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
68ecf3e06ab92e0321d40fc3d3ba5ba6

SHA1
ce468db10347193ae64740bb78653e9164aad6b4

SHA256
d9bc2207c5169c30660ec33ba9e2d12274cf7933ce9aa2cf7ae940174bae222a

SHA512
c2cb26e0c3582eef8d89bc55a750af7475b24081b152875b993b698ec2e9d05ad1583a2bdf060450e5fa4930d542988218fbce5c85c973b136f281ad2620fe6f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0fecc0490da3f8d2efa9e3cf02caa0b4

SHA1
bd9f5a3fd3d3f8fc94f54a661e1f40cf088d199f

SHA256
6e543b351b6fc8aaa10d981661a551ad6923349248a0212782c3abc5ffa269dd

SHA512
a6f1e4ae45ae3cca4af007f45937c98140c1ebdd47706b304b5e3b7a66a8508571f4f9ff9b7650263804ab85543bdfe2a3121efe424be574fcc990f115a834d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a6434815cbe9bbcc63f85ed2f34ca1cd

SHA1
694c2afb3bc9dc816c31a32c28a4fc7c10f6b32e

SHA256
97f6f89a6a9010beedecec6d99f684abdff60f4dbe84d59a5b61e2a817e7c43e

SHA512
150e5e9276f6b1657b014c06a7f31de4c74640c20d72e2035292a84183288cf6446e36517a8778dc842a80a275f3e43166aadc00f193187dc39bd73653371640

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
45aefdb0d1e8a4f759220b5f13416c4f

SHA1
3cae7a176e5b691a908d3337cc0d7005cdfa6faa

SHA256
ba9e79767ebd7d5bc0692c878e513d02065b6c74aaca56985a29224a5b910b27

SHA512
0568dd2187629ff882aa573feaed4524596885c5c1ed399f4297fcbccdd4ec73dca71f30f8b6b615d940ba79addeb483f78f5184b4b1c0f8f420c4aac120ebfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
015b9ab746281ae437b0287fc6fb3f02

SHA1
23844ca7c377ff23c6ec15f666cb7f1df60dfdeb

SHA256
f15981fc0ba78f634a3cca30d5566c92b7510c18d666b2a1596778cc9c700ed2

SHA512
aad4bf1810c1b6258c91915d9beb4bbab0ba65f0bace64517bb335baa5519a1a1857ea56eb237e26bc8c5fcf678ec7e6eeb770ec54548320680586f5e33cd02e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc4a495fcadece7438f3e975b5e87316

SHA1
033ca8a68f1d7da88a11bd6d2dfbdd81830f90ba

SHA256
ab4ce33670136da77576cb0208e3126ca811a2b5f89b27fc560cb601ddf87c61

SHA512
d645029a7cfb929e0d6224f97727e011ab0dcac8f07bb74d56ee11c5fdb3f2a1772b42c118f88b8fd267aea08c11dfdd7f6d70c0ce504b6606b76ca43252a717

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9a22fa43e847871f891ea8bb5935ed03

SHA1
3135f9ae0e23ccbbe3cd658329ceaea0f1a3cc25

SHA256
58fda14eee21a545f263823b89db18a7543f6b63049199be6904e70099e837bf

SHA512
450930e79123d25ae5d29c2542006a7644803251ef81b9620495c7af4ec32137c5f0f74c6c3871666853163081e6be2ca00ce3b5db33ce64a3489499286c3b3f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7ba7dbcd6155247bb6d89b80fd95e722

SHA1
b86d894881e882137bea7b9143e5b8c169f7c11b

SHA256
efe172f7253ace3795f5aed0d6b58f0579f496e64b32c06a8d370230217a1bd4

SHA512
37b1cc88b75b2e6307bd83bbbea22af5907f4671a81b36d950c1b92a09d5ee65f32151d1b08824060593d2c1d63dca64481aeca0e205224dc529b1e7a0bb78d1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
99376b4ec932308b7002847df9363c13

SHA1
e884fd5b74b00cf6e793495b16b339069ebb3b59

SHA256
ae613e7f510a58b99c565ba827f43c770bc065361d67409da4e9c46bb4ecec8a

SHA512
286485564fa3473e73000fec9ec0724653ec72ad333ea0ccae6b2b5c9250f560121f72c94f15a4d40f3c74c8ca6ca594a0b2341126fe4a7234a689b43576db56

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b49cd9f84ba06dddf35d72671cbd9b3b

SHA1
cdf8181e8aa73fc6b6678ea358c21c7d930feefa

SHA256
ccb410778819816aff495aa780315138db406659751b7296d4ad280db88c2812

SHA512
728fe4c0055116ebef5a287ff41ac45c55a54c0be2f03e3ce3fa6238855f6a7cb91e4b36eb7cffc62d1998ae696929656c548835ec345b16ee01aaf4124c2397

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cd578272b055b603ba2c83e6efa08175

SHA1
33b7eb8ffed97a541b26cdb98664c5a6bedfe325

SHA256
234226aa64da3059706c87a0107f4895bbf8c910b2aad29107c155d152397239

SHA512
fc4579da626d00e7a78427ba4a11c507d51b5ae7d51ab7d1d603d5d5cc52c35fc5a2b3b5c159300809efb665e033892245147995cdc00b6a6dfdc7a6d38155ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a59d7a4f99b635a51372abec3e8e3102

SHA1
f29f3fadcfc4a4a2c1769e66e718a9b920b4c653

SHA256
f33d0a6b73f6af129fc622a443538e8d26c67377966c81ff634fdbcef012960a

SHA512
2d0338fbe6bd0acc2e2cfc7f9141cc33ac9db8211fba8cdb77e58e672e03962b84b04f6737654604f295f4b704b2896f554bf09435c7b5915caed21f6333a8e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
96571d578a8b67608070a9e2b8b2d71b

SHA1
1b6de4d32ee25c1b728a169c9090e33a7a6811d6

SHA256
2c02fa007fdd48c8781e8b3f6f9b2b2e6b71181d7958cc917ad6cb5447282ad7

SHA512
dcf6279c5bd6b6c4ec06e8094f3312b19eabff7d120106edfc1111c24a9f386366eb6fc6a65d25f74b95da52d7d4a83db7f87539bbad9e80abf0bfd39721647a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ad6fb41ddef93692da8cf246efed52c0

SHA1
ae0634178de3e9733ec728346906d1ae657f0e8a

SHA256
9576c6b9eacc7e62723c32a277f82f62f06ae14d8e67b1b15f21c3b0559b9b42

SHA512
81f54eb1abf611e3ac5429fcbfa12f48d7b76b5143cfef3fd1ff7db897a8d17b4047b82cfc9f5b89ac32efb6b4103f4591d5c1f4a2f7dabb2131d19d81556e0f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e573a055c930fe2d323412ed42cf59fa

SHA1
51814a2bffd02721032a113f01e0962801b20e65

SHA256
443a592f03851d600f46b5ebb525729ec254f83624b5a83da109fd185bb6e727

SHA512
e1cf0751e0fd13eb73ee405af5e724808bb4efc4417c2a16910fb42fee6e5b9892cbae2117c7eed9f0d693f0aef39222420bf8cc09faa34856ef43fbfc4bb3b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3d3d9b5661e4cc519ccb6c46cfbd0f19

SHA1
e224fd4d7a0dcd2bb150a0af2a631b0143d94dad

SHA256
3d64e6da27823faf24fdfcec23b18d881d7821dc4ef769d7169eb642dc3b8ee1

SHA512
a17b52037b53839c50ff02a67e0098b68f54495d985b480640689417874a6af5c967be07db11f00ffbb3bb5638991e5ef8721fc8e52e208d162f17403d82880a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1bb804d124e51f21e8d3dd25a1537a5c

SHA1
c2687c01aa6284b62f8c0546c8e7dfa184b0d411

SHA256
898f6d514f60d41c4c15b307f5e612c1a8686ec7a1bca6911d33ee75fcb354cc

SHA512
26f18a35f175e4c5d798227bb8652e33d31453dd5df038e755094a17cb562f98ad826d25f0779c906e924f7160a1a2a7eaaa1d3bcc6d791f9b889697e8821a4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
81c483380bf558ebb76f1c9833b4c161

SHA1
8e8233894ef727009f240d319064f8c62d51d71c

SHA256
5000f71a927a640a17ae8a3bb147bf804d7d2ec39be30bb7629ea359cb719835

SHA512
c15b59b6dc54d5ec50f8504d9de1b2a47e7a2029579b1b3de0d3a7ccc9737f2077471badbcc7e673bc5d88c8f1263f193f7f20fce91a743003b8eb51f0b205b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7a405b3d87389e2d927d1b8641d49de5

SHA1
47a4066e9aead243927a8e9f684ef9a96e006657

SHA256
3ecf1a5d732c041d8ef3726c9df0a3c0049a2068715adebf7866cf925a28d54d

SHA512
ad93783884164953e3291a7faaa4cd8423c5e808de1eabd2bde97d5c893fdc723dfa7180d179fe3826fe8991f15a445756ab8d8203c7db46d2816fec28d58cd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
367bbcffedb62fdb84327bb580405e92

SHA1
6f56e55f6c7acb634f3a26b5822e64da2cd9f95c

SHA256
6c12077cab9be5b6751a9a447117adfdf76fef8c675db4117855321a9a91bccf

SHA512
e8a6c834f471c5362ba8d76b022e82491bd8356aa5a39b7621b713802510ded88f1efaccf61f62af08cc7d12a08dfdfefc89239aee8f46ed2585a62e4f937a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4de1ed3870744e89026ee038ae13bd86

SHA1
b1a8c41cc88fadb22bc3e0c13a49999aef052777

SHA256
7239a6cbd66044655574346f1ece114d0c24cdcad821f4222db6dd7809d0c4a1

SHA512
bcb5759733bd137da1a5ac18df6eb6295f793be01a4da090653ec347c9075f72c89dbaa0dc7155ff3e09ca570499e00137015c3f6bed3794c8b04b0153278f01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c7c99ae5efc6301bec6a3be926d6407b

SHA1
9c15bdd4a6ebdd90f8cc7617fb76604f25c84724

SHA256
fdee1cf8cd53439979f7fdf8bfdcf8f1476af07a55f691dcc2652f5f3111b0b7

SHA512
85c9c1015fdd8e00cdf1fd06dce6acacd0e94515f8673b9657e94faa66a9e913d811f1446dff07b1e6508730ed41ab0deb42b1cc26e5977df5352119918fe6ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
49d62ad815bd1cd438bd2e36a2c3e334

SHA1
2b90cb544f9e476e0cacc442b94ad92506b97dad

SHA256
b867b5a1a4050352101c438814a5b8e0eac46f5726241ed7dfbc0e9bf199dd33

SHA512
cb04146f5a7ebbdb6238d979f8f000fa18eae065fb4c03786387d5ff329619c22d20294c92ed70a9c190c239b978cca34ec75fadad83b75f407fb4f7085ca033

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8564564a9d58a33398cd1f0483b941a8

SHA1
f4850a0a2c9fee4d3b86e1d3911f53d3e880faf6

SHA256
5a4641c1cda94ba6b55ea999b85bb7cfd86bf5bf615a5a17c9a519e1f0bc2241

SHA512
53469f4879254a7c78fca9443645c6c62581ec54e9970620ffb9e6f27efd5259b23e78985f8a14c0f220692797622e642e9a7da3fbe9ed00a1473c3281ff8c7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
90fae171c6aeee7555381fbbf3531d74

SHA1
ef589525b6e7771bd05eafef177195ca3e910843

SHA256
cec8cbc44491f553e7c613b265e887d451d3a6882e2fbf66eca0dd6db08cfe61

SHA512
8c2656a81b073dfe5630444458d325ec65815d726d44e1f7d69f1ff814248434cd8d3ef26a7a55d82c47f7565cb1df4b9629da9b57e132858f795f390a17dafa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2c7277120ab8c35214336f82bbc210ac

SHA1
bbb61f118034ad8814eedd2aca7192e075961451

SHA256
85b3c7a6ec7731339324a5bc8948d95a7656e3ec7a343db0178ae674ddbe4f05

SHA512
b7e0f5e7a735b9b5c8febce54c20ab3f5b4baf3d65e1e465abaa35982da40cccf99209192a00845bf18d2a3b9c641834634bcecbeabc12d27740597115f06e17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3e3e40cce2506427cc13f3512d19c031

SHA1
743bda7d815c80ca60d138ece90f13239d369f6c

SHA256
4bd41bfdac41b4409c1017db5f3b4adf4a0ab293b98f8c8c6223904168f7d031

SHA512
95caeb1a48f98070c6c14def8bd77418091e3c86d53a15b12a0d5fef4c6a53133de8b4163e7897f54475bc3c88f6b94953db6f1ea24c66e38a2171e0b4a73ca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b04c631d7e7e690d4bd904137e97fd66

SHA1
7f02e84de3286a99faf12973fb7933f5c785bbac

SHA256
b420ca12255b3e28b636a0d803e8d930e00059106fa071b87a818fc695baa52a

SHA512
1deb3a19477575f9bd6baab03a1562bd17db555ffd2c9911d15b9d810b2e46894d116e5b175f92f3b5886330691df392752f9e81b5e8da50deda93ba5db7fe95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5d08007c7a14b54ff556c75d70817955

SHA1
10fa1cc3d86096eb661375a3fc64b5f04658adc7

SHA256
a4f79c1fc3b2f04e9da7012a15f52b7d8db57acc8029f7bc8b53aa42d526388f

SHA512
33ee07f6c8da6e135ef76b0d42b13f074a4c81263847efb02f2768311d0ee38baacf733d8d24a8756bf3868e87ba64a2baea3599ba9758c4b0e3679c3fa1c68d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
00555986e6b987945a9daf8e21cd2e30

SHA1
f08c1fca2effb4aa2d16074ddf364255d6f4bf19

SHA256
c627c05b75470e39ebf38bf145ef7d4b5d322745abdb8a13b4e2d4db92df0305

SHA512
286dcc16456b13cb830a5dc3c7f37c0817cd3abab8db4c77a67b651a76366a0b7ef89f6fed62212d2e87d71462fb7618a42b09031d23404a41e6ef9dd1f1bbd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
256ac2e33367c7dcdcb47ca6e1133b5e

SHA1
d1ce23fc7f4947969eced1749ea5264b68780763

SHA256
c51a79cfa78550daaf51b7215d6b8a176e15254c4d76891ca82e6abbcadedaeb

SHA512
8221d7cba391a354a4418688078c832396c568195e3591d95400a5e63a8fc5ba22dfbf8ba1820693655d4878ba04af997eb1cb24ece4a100f35cd9f3b24248a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
cc140f58ef27da21307b211213beda8a

SHA1
092694979ffc8a624ca1ed5faaeca3e98d70e6f0

SHA256
18936a90bef75012c60a821fbf308e7e6febbaa397e340e0f6e6e82e5f48d4a2

SHA512
0a95936c366c8f1cc0f99375897491e137892254045b050e44404467136f15c6d1833468b521c27afe469255f117917d356798bc822f47dc231928d8230fc0c1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3a59df6df1de30fa4d7b8e911e9753ea

SHA1
f1f559403f08c4e7e9356c0230478e6b88fd7fdf

SHA256
93079071c3335255d9df73f120181485362f3619c52f084765527851fdf22183

SHA512
2fd06f0f8d2f0264afb2e383b0cb263719f37ac8b3d8855e325871b536e9bb162470792eaeb9e71d7157fc07d245e162b200e3a681c1a68761f1f58810cf40ba

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
16edad4ce17f6850f2f1887dad34ba67

SHA1
6fd9786204d40b20c36e4f13afbf80fbdb3c3042

SHA256
463f9fc55a9fcbd1b0c7098fab72ff605a04122198b3d1668572d19f06624e19

SHA512
0862f76f74fe5564cda9f3d9bbaeee00a1fd388d1432444a3ced0820b733cd9d9d3b76f4a45209f86f9d1379c34b47a5f267ec8db5bc1eb9a6cc09675f3d9e31

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
76b4b9f471585812b36533b356da735b

SHA1
7477d5ab9b24f68724d16cc931a2bfb085b1a46c

SHA256
b60369cbab73554cb381e9e1a66185ee4697b66da290cd468a7ed5fb03012a40

SHA512
c8375153911f762bb6280665979167decd3b04083fd1913a0114fafa86eb7ebce88dabaead4ae818943e238fe61b0126d7cc9cdc61350aef3943588e0eb16534

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
26c77a0af5e537c6e9513b25c78092ce

SHA1
c980bc93ceb87af160bc109c9d4fd2449e4a7561

SHA256
96312e83fe245f8cbe8d7c21e5c5459b91ba8a5d43af4f7047863b943cc8f08c

SHA512
5a8b5cb35b248197180c2c13b947a5b8aa5dcb645601736fff68b563b1b3824b0256ebe49899725f264a0a1814d11386ba379f8190ce237ff1861e625fa0b9a2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f95d9143521d9fbd4743068685801736

SHA1
97f6326dcce05bf4a73b73fa242d3da8bd365f52

SHA256
ee144d9c31af4d3e850a212bb517152370dcbca5a14f400e44e24b1c4f7f6de3

SHA512
c3a223a5494bf0c26be6525b151075696c8f3aaaef235d0c46e23d90b7be46c65842c1e24f8722cefdc20e402b9f06b2ca73779bdfaa7115e0195d4f89f45229

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c217033d83f10fa05349dd4d5b68d78c

SHA1
91ef5bed09f40869b92dc8ae459782a9b6bc2eab

SHA256
577daec179290b7a134afdd5ca3672bd045366484490054e4a28e24561819410

SHA512
7ea008ba20fbd084a01e759a72b453a3d7781e18b28f17358a26853446c9475e652deb9445202d15799cdafd0f950a4c64e9f402a33162db43d8be6a84cf4cdf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9ffc3e8fe30ce53589c731779b90c214

SHA1
91e7d8becb94c7f50979950f1c32eca69b543dc0

SHA256
7275e463f4c96dc5cd35b29c286d6ea3c06d3f21373f5fe5ca9bb57187e6049d

SHA512
df65d385c81507a231880e806d587115b57a38bccdaefffd394796b636c1ea2c0454ac2a2aeab0efa0c8c59c3f5d2dd77e06dcf990a64831eae8f71613dc59f6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
dad85b59a50b360e28ad5e8cfd5de095

SHA1
2233bf848961931d69182db489db1a991cc19c57

SHA256
1644f567f8928cd7d4c9f6db37ec6ef11ea64e76afa332b5c8a3c6cf47ae1be0

SHA512
1b09f41789de02b1c27cbf34c684d325879b8005f0c1385a4b432a9b16458e09f7e143a168f77741b0a8a5e1e7a2d455943a30ba80e11d9c3dbce7155b1414cb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8458e6f7b547614d5e6e584ffe1bef3d

SHA1
f13b6284b76bcb06e71e0677c2a5b3b016ac9767

SHA256
b4819e1b91334cfac9210f90b197c9c08cccb144e98e90a9b958bed55952cdd3

SHA512
1c4840bc4bc691e78ccb2ad66599f6cf0fe4719a297efd6f44c0c88e9af850d48bda77bec835420fac8bae3eba3dd5b61327fd2e97d1b942b6400b5a61c2c7a0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
42478ea261c40c952a51adacfc5cbcc6

SHA1
a85d4ed6a6486187036956e23f9786e055078b23

SHA256
e907015dc029ed8524cb6dd0bdb93e4f72d082fbcb1bc70aebc666a8285099b1

SHA512
e0824d2663d5211980e5f878e9dcab2585c22a2e2c581177c8989447f10f39e33ebfed7d350a6d625d141fdf918ee0deffe29df28e8ff5a999a903e00c27e051

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
404431c7bc31c2144d3b96d4cd17cde6

SHA1
9825ac361c68726e09f92e88aba1970455a22336

SHA256
a1c63966aa91adfc851f78f164c77704050ace87080c9d24aa38a297fb1bc000

SHA512
71b1f2968cab00088663008b32dd375c3ade070bfbf4ae844313463e184d9b842d200d6396f8018f627fca5056c35ed7d037c98d78bab88a2b72ea0924145191

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5aab7d99914915d73b549410ee6d705e

SHA1
fa49f9d8f3409f89f62df8443d9bfb017efdbe10

SHA256
affa89b6856b91cf66f1e35b8748d78aa030b6d2153f88fb7c40b7784dd82a32

SHA512
8006a4be5119786fca92d3ca01c56b2c38e8a005a89739c135963f74ee04b2c157511b7a3e5f496fe557073cd550e242e6baa6b36d266776cfcf5ab91e9dc3b4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ce7d1e29d5df830e0c8e322517f48f3e

SHA1
afcada9fb01b2f76b65e6a623424f914424c5f86

SHA256
403bec46ae502f65e1234cdfc1d067a30cd7d08c52bbb2ff0cdacddd827d878d

SHA512
9637ca0400618c20b39b7619645f739380255e7ac45a810495d67ae36f62f2fd9f53484a1c78e1d919c17b9c573798d6071c096dd72507130ca37c8e7ead175a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
738585e155295daa28421f0d5b57d3ec

SHA1
2d8756938eeb869ef68548ce1cc11b86350d4275

SHA256
8e0d3e80d2268d00918873ded9f534bb8f57f9e72ec99fcf90c15b838f95b273

SHA512
c747af7b74112e3e8aace238dc3be0f5d31e2882d1421ee3d9572dd36a2ef7d1caa6abc9d308ff5e0d406fa83c9f7555bfd5e97c082690899a09643a87aad859

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2253521ca52083ca0618533fc6209e16

SHA1
d0017b72ef69d9b480a2d7c860fbd979a1c37cd4

SHA256
159bffab985604aec9b2f3133ce689febf3b75fdf5064d44665343071150f296

SHA512
25d95889288ee6daa2b11fe219a37c79660edafbda4600226b3996d3951e279ae23d908ba0b404877ad1d5f98b3fa44822b98f2f29a282a57df4eaa2a8da3ffe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
26f3b2d188dc0d91428ca6964c584eba

SHA1
2062983c90f90c5a1ccfea6c39e155d37aadac7b

SHA256
6c18b9376f32b1f84389d2c446f420ce82c20c239e60c566f6e3b64516a4d196

SHA512
972c2bfd85ffd92c071ad7282002e6b6abd65cae1287a102e27856c6e49845a954d0ad2aacc496e365e9c82790cef686a3ccf78e108dd4084e5c1184e1a1e72a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b9c3da1e122c16ae3d580824f8239b70

SHA1
4035c9722a1ec374aca9d2ffd746252f163c657c

SHA256
acf0ba7969cd620d7b227406b87c7eb801fba74cd4a406a9844ac7fae2f0af2c

SHA512
f77e1cedd58c2c007de847f10b1c95ab5ceb5fa24cb756c9ce0d35564d4494823fec08c129fa2c75817aaba2f9e5104f1d7d43434a1a299838aa64f955354a14

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
efbb32948e564c0a71b02085a14dbc4c

SHA1
a7a65c0fd7b1446789e989fa837acf9606327973

SHA256
0abfa8e2ab777e0c7365f9ca74dd23265497f3e90b635e0a8730f244e0b4cc39

SHA512
ae624f45d72e048f07953a0c3f764d09dbf24e7359a435be1ff0240521f17bf121cb833b9ee1d3b494c3b512f9e94110bef8d50a3000c8035b5ca172e822aa1b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2eaed7e82aef04a4e1d0ebc55cddbd5a

SHA1
888ccd28c31190016d74731c953af0f721e11577

SHA256
64a544eb633f4fb169c453774161bef12ce208878f1e88706794d33dc4af7dd3

SHA512
3b22687902d7cbca93aa0253480e60a7cea32c1064cd73b3c13490a3c8d257f53050c62b4ad54e3675b8e707f6b973bc9cb9d957ba974a75f700bdcc415dd220

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a131d554d524a6445ae6cf839a4bafb9

SHA1
c799307088d782dc9d5ac58f319ef25270c084a3

SHA256
a861c4c3e6f67bc058489348076205850973b44781c157eef308a55ae091f0f8

SHA512
72d762a49a59c868884f404ac3e80934397a1452440e24f029b9d8fafc304bd1f8dfbc9b3007875eb49afdea31b88e6867c2ec9d6f0b15765702f3f5195ef31e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
57b69768f66e20b313577fc9472c9c91

SHA1
8c687ac589113cd9fbec5d1b35e2254b12b6ec3a

SHA256
172ceadab20d39d1199ec07bdef68548c5a79b13c370563b3a626f0f6e0fff4f

SHA512
b4350ad1d8027d0f032a5670d2ddbb7e138baf759aea0274df6b19baff66803f017326ad948328206a4b80679f21a7c86646b63c6c1f414f8d3a4cbc48b0846c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
fc42b719d337f54ead1fddd141bb74c1

SHA1
60123aa611d0cdf210062a42da31eb7b49dca353

SHA256
f7d224416a02b1fc553f96ee86368df37b10472d064051e0654a7ef99fbf7311

SHA512
09fe8e56eb9c2d522c973bd3da3fc805e086cfac10de0fc0ba6cf75aca017336ddf4358ad90a8dfc5d93fedb132ac3d78254b0cfaf8c89c2fb6ab29b6a014f0e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a0e74bb37f50b42afdf38b22559a3000

SHA1
852fe3b4237d64fcb5f0d184cfc86cfa781db962

SHA256
1307185aa829b76992b9727e082ca5cb6197995e9635b3e21f5916fd56faa246

SHA512
1af957cc19c48e74236dad1cb7cf942d672d65e3cbaa617be9f1361e129cf4990371c667150a72dd54063bdef2d572542398163f810de29a38fee7c423c0dea1

Download Submit
memory/956-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/956-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/956-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1308-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1308-502-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1620-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1620-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1732-158-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1748-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2004-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2004-39-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2004-33-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2004-497-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2224-131-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2372-159-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2384-168-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2384-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2384-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2384-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2520-500-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2520-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2520-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2520-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2548-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2548-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2712-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2712-496-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3160-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3772-148-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3800-157-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4300-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4612-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4612-68-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4612-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4644-503-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4644-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4684-504-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4684-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4744-84-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4744-78-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4744-150-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4788-96-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/4788-91-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/4788-151-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4944-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4944-8-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/4944-404-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4944-2-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/5008-156-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5008-107-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/5008-501-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download