f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 06:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
Size

625KB
MD5

0e84d5419db65f277885a494f066c20a
SHA1

0a5bf79d732934fce7ba3be23fca1a8317666bee
SHA256

f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4
SHA512

52d408ea688844c023760aa62ef49df119b81c627013f361e995931c257857708865d7685241cbf28997738245d28bffa8c587ce532a0ee1109478eaf385498e
SSDEEP

12288:Z2jV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMsN:wJVg9N9JMlDlfjRiVuVsWt5MJMsN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2976	alg.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
3796	fxssvc.exe
4340	elevation_service.exe
2104	elevation_service.exe
4904	maintenanceservice.exe
3764	msdtc.exe
4136	OSE.EXE
3760	PerceptionSimulationService.exe
2528	perfhost.exe
2652	locator.exe
836	SensorDataService.exe
2828	snmptrap.exe
980	spectrum.exe
2696	ssh-agent.exe
2876	TieringEngineService.exe
3896	AgentService.exe
1956	vds.exe
4452	vssvc.exe
4488	wbengine.exe
4816	WmiApSrv.exe
1400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\System32\alg.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f312b655b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ed4e8686aa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000583cb8616aa3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000854afe686aa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006b58f616aa3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e970c696aa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000317acf5f6aa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8c8dd5f6aa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003518cd5f6aa3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b6195686aa3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4766626aa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
4340	elevation_service.exe
4340	elevation_service.exe
4340	elevation_service.exe
4340	elevation_service.exe
4340	elevation_service.exe
4340	elevation_service.exe
4340	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3632	f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
Token: SeAuditPrivilege	3796	fxssvc.exe
Token: SeRestorePrivilege	2876	TieringEngineService.exe
Token: SeManageVolumePrivilege	2876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3896	AgentService.exe
Token: SeBackupPrivilege	4452	vssvc.exe
Token: SeRestorePrivilege	4452	vssvc.exe
Token: SeAuditPrivilege	4452	vssvc.exe
Token: SeBackupPrivilege	4488	wbengine.exe
Token: SeRestorePrivilege	4488	wbengine.exe
Token: SeSecurityPrivilege	4488	wbengine.exe
Token: 33	1400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeDebugPrivilege	1988	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4340	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 5116	1400	SearchIndexer.exe	111
PID 1400 wrote to memory of 5116	1400	SearchIndexer.exe	111
PID 1400 wrote to memory of 4220	1400	SearchIndexer.exe	112
PID 1400 wrote to memory of 4220	1400	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe
"C:\Users\Admin\AppData\Local\Temp\f6cc5058709925aa5584d8a4f8309b36cd27a4cbaaa9d58b85004ce8020c8ef4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3764

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:980

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4386830ee5e7a348596fae82a2fc5316

SHA1
4b0ddbd7997bca8a12bd39d6788057b8d5876341

SHA256
e4353c7d51169ec10126710f63967a20fac7936092be47dcab324a14258d1ce7

SHA512
c60ec396c5f760ea0aefd8b1660399b2b4ed9371e0b81eb8570d204f860aac900fa1cd9e53a2d824d1fe49aa2bd116d03d877acb7604ef9dc5cf54fbee5add96

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4377e1078f54b805a15a4878273e1673

SHA1
590f78060df4b1da6ce67b2c03b0742658ded6f5

SHA256
5333138b219d6b0547789bfa81ad512e1773a540e7764b0c082cdbea20c9de24

SHA512
7249e1233a458e6e29cd2848178cf08ca21c4ed59919325d89cabd760fa6590a418849363e088f0a348853cef893493ba59fefa59921ec94846ff49b62584c15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
efd0dfd61803c587758bcbf1472a1ad7

SHA1
d10f2f1d1cf652e10e24aba6415b56600ab0909b

SHA256
bc54ae75e096ba91a9938420b1d17168bcad27a6aea0aea1970b9da64275faca

SHA512
43d36b342858cf4f2a1557fcafd364a016e056b9cbe04874c68caaa03bb6e2d9fd1867ad4cddd499195cfc8f3b1062021f553b713553ca8469b21b15fc9021c5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
708a477734a538241ba91e883a466c1f

SHA1
cfd379342331587e8b85d12e3ad9300d9de8cf66

SHA256
d5329b01e9af7d820b417679604db04538a165ce1336a7ed23bfd48498c927df

SHA512
0e8a8082e5a17d0edde00764af69c961f36e2fb79b2a868d2a15a2c5105ae0b53ddb39cb5c73407bb93f41f19e8394e7771c68b265ad35e1bbecb4571636579a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
78a8d41ed4609ddcb5ee54dc7e6e5d0c

SHA1
c809cf1b290b71e966791c01e5fe9c53f7fe4d2a

SHA256
4d862d3b8455acbb0e51b1846b25e475c9996bce2fd6380ab67398591967f9ad

SHA512
de11ae7d59413ac9c239f726b182818bc8414210f6449fd5c3f8e473f9965d0fc632be0f3e2ed79832cf5db54f40d15c3b6b58d23d642461b4e69f28e65a51da

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4f8d6764c7750b19047975de0115270a

SHA1
bc86fe8a5ea4f3891897acffbd73e88cbf0e6ca9

SHA256
26636e5805e13f3c17e47a278f11af7e336219c6ecdcc4fe82fff7ce70670054

SHA512
f5cb424f5f1cc291e26c967ac5b607c5724d000bf7817ff7de036e391bb2d8e74bfaa14ad87ad242e88b22159babc346f90ae5874ab5109af3065063c35dfd77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d9f3c81a7e0d240ee5fad49a5a18326c

SHA1
8fc702eb44293bbda75177571d32000795958a77

SHA256
3fde6e04e279cba3dae75ee20d0cf9019b5e7ce20f9ed886ecec544871748107

SHA512
9540f11050db947cc7e46e3c4c6ba72edd54cb030b9b4b81a0c52f5b1bde7be420c0574db978055e863ecf592ab3f05e6a9d730b9dd7f75764b40fb9b17c25a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d2428d4afa953b0f15ee82b8e7163ace

SHA1
098c544b4a984736e09fd4fae2722cab84b1e4c3

SHA256
8e441cc997bef661e949ac7cf60f414a66d218f187272e57827b3c135091e060

SHA512
64f0c5f377d56bef70eaccd798c299dfefe3a87b29a9dfec9ec0f5c8934f51f2cb3700894943697cb71fad820f6c8f24a533e0c8562478a9ee4c93164d38baa6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5ee8586d389cb2744d5c5d0df1ca80be

SHA1
c73071722d5a2463687115c8e3efc5cd8c154d01

SHA256
f9f12635d39155b36221931d82f9adbde16f90aab715a9bce89c93514b892ef8

SHA512
890c0cdaa83eba56da7173102e9f0ff53ebad1deb81ba9fdbfa22dfecbe78edb90dbda5833e89cfbe1a046150db5e5ead9da49dfaff91033dedb31390e4ffcde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
20f06c67bea9bf4eb1769060ded3036e

SHA1
4cd1aac5c18d162526c5f7e81dffc8429b2877db

SHA256
cbe694132189dc74d7d0d1342d168ff429466f41b4bf610e01b40e6da8a0d87d

SHA512
22e77eb1570b4f2a79a8ad80bf115ccb54cdc6fd732e2f006fef164c6c8a8b7951875821b23f3c0d3a204fa9e55a156437385792bb9bcb331e3f2e0370f6b758

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
db283658b6252a7acbafc4a9b0da033f

SHA1
4b62123162e58472af4732ecaa11b4c03c078408

SHA256
1301288673ccf4e5942066991486ebb0e8c085ad669c57f7f883aa37550c0a66

SHA512
ff7668d4e0bb09433cc9dbdd71b06b20a92ffd16a39da84db963c2ef2af4578ab969d78ba0de55733a6c5e2a3daf4458d81061c4ea29a9d04d82ddd99627dc40

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
166ecf18c78fb3d5a008982d2b14f72d

SHA1
b142c9e473198a438fc6077854c547084918d24b

SHA256
13c6f50944158722240a781c21efdbf09016780a95aff18fe7786f0353e50d2d

SHA512
d4def7af4bb75e2396cb648cf38411a0bfeb82b596b580fe050617abd0bb75aff6a82106e1a38a35b1fcdb246e4da5733284cab509b95fd452c4ffc87763b7c7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
04818eb740a826e017fd782e71f55988

SHA1
f2dfce68303c8eb827dc5f8f77d2fae2cdf65092

SHA256
d8b758369cb86c1e2776da309e0bc69f7ea9d1423716bb96d4ffa7ad71fdcf29

SHA512
3ea4152a86e3f245727a952d92cb7c04b4406d245e9a9169299f8728439f778a8ade8fa3c852ce0a7b1ee48f4d846655625e75f7eaa9068dcff2623823c0e179

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9c364b26251d079d65b84b56a2f571c3

SHA1
5beb322ff5fdb665c9b794523e994d2917e3b6ca

SHA256
b9907b2e6f51b12b00122a746fd83f9caecba23c5d474daaa45dd1a8885ec03b

SHA512
7b45ffa62307ca79cdd27d269b0412dfd7a093376ed2382ce55e3c02deae4c300b05c96e00366d57be62f7ebe6171be940994467bf54383eac5e1d039791181b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ff9b1d0a8ea5458a8dd59efc82f624f8

SHA1
149ec8a1f62d3fd27c56d90cc4029e32e1e1fb7d

SHA256
c7b7584b1be0871503eddc45ef67d14e68882d15fdb50896f67995ea74d15ec1

SHA512
8f8f8942694944edc37342a211faa773c262b0413281ce53042c158c420365b33221fada6743f2b84781095291f9343c58b6d2b3975d38191d6f4712ad12bea4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e7fd40318258569d59c8a82306cb47a9

SHA1
9fd7a6f1d98ca3a8f092a5c8cda6ad04e35c9386

SHA256
3c9ec298f156d48601e966f3ba4464961e3f2bc1ab6deda0b4d07aa7ac121ffd

SHA512
21549a4fab028ff6e9e27a6cad89704f7b4734c84dac930bf457bc76a43b05ab8cf640f84901a71a8534d398edb4e5192c4fc80eff2181bc09f4438ba9df7908

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7083c0dd163a3a868239634e2b1ba0d3

SHA1
ef78e0ef36a3814f9c680865a6664efa48a9bd77

SHA256
f6b3da3a6372fea43223f9880eb65070f35391a04d45abc665bf707b16d30c72

SHA512
48b22570eaf50149beb74419ebd620a1ee133f4053a82edb8a27552873686b1d79b85c142510136bdd63028732e69d1b942e1ac99b86c87724695f036bddc40e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5bb3e53430a2f102732fe2e89c50510c

SHA1
029d70bd21e4a3c1813308e44cbfebc157dd7ec3

SHA256
16fad583f4ee418cd5377b5ba29e0327bea21bbfebda8a119281448275ad04e1

SHA512
8afafc96324b7cdcb10c6fb9f36bd07b2fd174134d4c68e82b3eb42953f45dd686060937b72ac9d5d649ff4a0d0b92fcee5453bcf6a4532dd501dce0a9efd093

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f0c458c455010f64c59375561359f36e

SHA1
f628542522079ed336752b972c05ba1e2b3fb910

SHA256
ff177557aa3ca17905a9909d98a20e9fab0d2657eaed5a21be33d6b72fdb6dfe

SHA512
1f266283e126c14a754e59649705295703f8510e4f00fae7be2bf375760f0cca86d7cc68863f8b94d1ad9649de172d9a33a9c11f781c920ce5b51034bd30501d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
dd69ee2d6185c056ce166237717291d9

SHA1
9b9c415c679475122c02852da1f1b448571052c6

SHA256
899ca72c389ab989ed19023b3b58f41c32e60f812a2acc108bb60b0a866a3cd0

SHA512
e1d3ce3cd65a818a8dd7a786ce6c9eaf022913c3852a4fa91d58ab1bffe64fc9566e0241f9a3dbf79380d7b37546aada05570d331564283ad2e137b68a4f6b7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9f3c41a2acff759df1a0d2bc05c69efa

SHA1
47ce273fe4581a0b522ac37ddc081d184bae0cf4

SHA256
04d42bc2d6706dcc2378016d9e08588712f4d90ba7c62b8675e66c7a0408abac

SHA512
8212a69b7585c6835abdb8964b3c4be8d7b9aa3c6d678dee820fc51dc46f69e639ae6b1bc4d8e5babc8727cfe7ccbcb33343488d61a9679d4e33924355c35c9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
dbcdbc722934248244a61c832e4da49b

SHA1
3229167b4fa02598cf80460064858dda16c6db09

SHA256
386e5e3fe3a487b0d7a7ff5d8d9dc1c17d00ea12a7c09eb809c21158d1affb2f

SHA512
b7bceba01ba31753d4f1a0c60dffb3809792579232389a7c830c7d3001c04866c91b76f149ce9523a0d6ad02ff4d88cf2e47d09781bcceb9a33c71d1903c9b00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f8cc9b82d6278a709d183998647e91f8

SHA1
96d9d68e055ee8179e776c292d0e2338865a04db

SHA256
ceaab8b90e3baafb3c20630eeb1fd69bb7accb11d7f5763df86bae76cd102a2b

SHA512
0abb9d712322215a0ab8b7f3de726583f0eaab9a5538eba3145c7b40c42e01fa9e909fbd10e23d3ba0b3a2eaf7ccb877f3bd3eda52e4932b6239a2b2f8e7e808

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c718711caff51c012bd7ba0a05389a1f

SHA1
0878bf66252830284fe00cb913c799b0e5df292d

SHA256
108e22cbf7a722892a8cdb330e1305504141ed0509e727c6dfb66dcc2f916e83

SHA512
063d5744a2823074b928d59621d385e9d064a509b83e2cbccb688b46547637f56dd95663feca4eeb76a14e7c9574de2d98fa253bc78e57b222454366d694afda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
47ed61392d2d67a3db490f2b7a94a545

SHA1
5aa89ba6f41e267bf50269214f37e46def4cc8c7

SHA256
5beed2c9f2a7b08fd94420d422c4f624c8885e56f8a158beeadee6ec6c684566

SHA512
a8058d2f206fb24fab5587c2a84e65e40f708cd933ff6e6a01a540433bce8a494d50a0f4f4fc3e308f00ad02bf38315154d4b4d17bc5f613ab7f8c4e8c8d0149

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1ddc0b4b59ada316cf3d2f350903d9ef

SHA1
34fb1c205147af7a1c64c039a045df9fb352d211

SHA256
8747c7b32c96f4ef084b2bcdb70704dcc5b03ca35aa9fae24044e4615d17088c

SHA512
341751670e1d467b293cab8dcf4bb1bcadd30829f4973135e7f2137762bb11080f677618dffdf324bdc156c21aef397d4dc7da610354637ce7462323ec937a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
95b22a5914cb9799d16c668209b2ba5e

SHA1
62586487f8283d43634478ab0a03ed4bee8f5518

SHA256
430ae341c2eb4009f866d9eceb8cbe9f3f0da92e35ce47b8c6551e046e8991bc

SHA512
ca3985cfd7f5abe6cb26cf4fdfaac1175bfd8c080133cdcc3cd45c31b1667303386e4f944475339fdfe3cadeacb5ab6730d222d9e60472960a15724faf2674e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d14887a6dfe8829762e9ea6b2323f7e3

SHA1
204126b4d9fe962e022e0aadec48a31a04459230

SHA256
7fdb1eb5f453d242f4c3562bf2f2dfe369e447aaf11435e4fa43a52f4b33c767

SHA512
dc1af554f9d07431bf4864ef15728579c8c24e0643ff861f0d760d62c81a64e61acd35a97d2eebb64a0081971e1e379893336a81e4ccb3ce792e00143d694667

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fd6d47964417d1e1da9f55faeec7cc8d

SHA1
2d52dceef56c30a54e1434c4925ee6eaa2595ad6

SHA256
65fe60ee63a2fef1658005b100b35481d77e1857a74491974549cd30038d85ec

SHA512
5acebcdcb3cb13423dc93691521b8835f69a804eb5894ae8f3fbcb53984d05c7da13306537f3ac86d70c08befdc84fbcba993e657f1daf80651c60cec65d9697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
125517de69ee6f2ee9074e6546c81f6f

SHA1
b194ce9ee9c3cc51564ea48c26bf319d2c8f33da

SHA256
e0f73cd4aeb3ba04cc69bff3e22072c750000bfb3d0e70dddd1947d7d53bd76c

SHA512
089c3ee963ccade1b7436c2fd35d891258ac40f535a3831d10fa529b574a05d929da8704d022a97a730a59e09184d9c3748a8f6a83be82d5055eae0d0668a890

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7f41bd0d1574c6ae2edcc32a5fa5c704

SHA1
a3ca87324a6c3e292f466a8506ac3db760a7573f

SHA256
5e0d6f0e4a005eeb551b9c873f9c969b770aa8f922598622c3666fa15eb9f25f

SHA512
2ba14e5428c98ddb17093d5ff24a1ea462c0f1c8ba864083320e972bd0a104038205e8ba4bf123d33cc4c3ac86eea86624772b869e7b92e6992d0ed138c883a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
69ca5cd9dc8b65cacad118d511f1365f

SHA1
bed921af68066519770657adf7e2e5c28579f24a

SHA256
3f6a88737175a983f7ec429f632baf3a4406580edc9255e63876af102b605d17

SHA512
f5a015edd26ffc1733ca08c7648232292dc63d0ad8c4c04ec74697c511e4fa76299a3203d51b7fc538b483ec7f9c1096e42378452741a37a32a12339c8f45be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
cb0f6d5f0ad0bf98f11ac7025aa9a718

SHA1
d2ad206fc51b683f3131750892d4d547fca3781b

SHA256
c9d193490d9d0d4109d8ad055710b2ea8d662629e7d013b2373419cb86f6b596

SHA512
d44d4657e0f3fc860bd44fd6b1caed2a63bcc36e9878d3760949bd5b60931d6c7f1488826c5fae338d42342762b97501de70f62bb8fd66bde2fa26cf231919a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
76d585f59eb6f67786a624b647432058

SHA1
30e4339b51bf6063983db46ce7577c66dd9378a0

SHA256
9258307a7f5be65b722cd3331facccfae232f93926a7b607a6d38062f4c1327c

SHA512
8014e1cab548a47d14f76dda24b981231662cb881efcb07f341a2fc78d268f585e317a0ca62745cc7e672755da28f99db826d4189ae343e2e5f30145676376dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
21bbf58d3d47460d2e05964985f0f520

SHA1
6519df37cf99733a23771f388983e01ad40e97a5

SHA256
10ceb1cabf75e4637b38a1e124f4b96d182afb42f1a573fdfda9085a480d38c6

SHA512
f26e2dd08a309f4e5a54d7658f629bececbf0b7a73d6b56f08ea9382f30db4bee59f1d8924ec0faa19b70d71f87f673b5b795aac7344006808b622f73b6e0ea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c7ce4c6d1cd242b0e6af0af779e36ad4

SHA1
dc8ffd8ea752ba4e726185ada3c7b0602d9387e5

SHA256
fd02b954e7b0cb41e5e315bdcf7b45f5f409b0fa5ff1611471298de1b712d2c6

SHA512
7605f72bb3b4430766a21e724ea653424a4ebc08b3f9042537d33c4e0a15fa9e24c19a8024e11d5ccdde7042f90b47d4c7ab0c9e987632d91e01e71f844298c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
bdb1779b7a09d88904bd11982149d56f

SHA1
6d089b3f96d49761d85b817ba1d13053e02adb30

SHA256
779af4946023a8b553b3ff2866be11b3cff1f3874061e157c39b41f785c59e46

SHA512
d1fc281fd3fe01bccbe3d8f3e7fd40900339ef7bbd65eb72336aef39a24ff7a49a2ae3faa2b0fc93b4528a8271210d0d72405dbbe8b1c891a9b3027e2e6f377a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7d1f2586a21f213623807cddffaa3121

SHA1
e31edbd231e6d58c76d29a4e63a716a4cd2b73ea

SHA256
2b3d45261c0e659f976fc34d6d43f46e291cfe5372f6597955369422b53b16ca

SHA512
76b64ab54d9031fd8938c6c3522501f4ceb7c262f3f116ecab8e9ee0aab6798239cfdd8f6be82c6a85ad8cfd9e032153418f3af4255f3b431d9c95155e2d4dc8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bf72110c00340c7298ce71dcd04283b0

SHA1
54edb566ca29c147d06206211f8fdf99474ce22b

SHA256
9323a2243f1578c46f79709a5360db5ec1b61e59977d7944d2bafaccf5f7e1bf

SHA512
992a280f6891b3c1ecdfecf4239e604c0ff022ea89a0eb330dc29718e5679c8e4efc5e69ae43820708801c4aff400d59e78451080855594157200be10b9e172d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
38530f12cc63a897a1f66da45fe55941

SHA1
a97363b18ff2c3f8fb1fd72874a51880cbebf0d5

SHA256
71b202f0eab4c61ca0449eceb9ad58abc3c831e9e20516d461c2893589e41ea5

SHA512
21aad3b409a9d47fb4a91b226993c13c352c9f8e336f443594dbc52fe240bc8909f3046eaa7d53deb110b44c934fc72f299f32f49f38a7348fb3cf31ef866e05

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a43444d1a31ca5e1cb329616eda1d5be

SHA1
f8c093214528e6cd642eda4cddac20852b4e6c8b

SHA256
402cb95bf889ae9ce9bfb82662d276793e2f8df14014b48ca84d06ee7ad2050b

SHA512
a8d024847164934e972be188b65dee35f48b7157a6314591e90a3da35970372a71f793f16ee3cf014f0855505cddb640df3f7d3433ba0bf2444f0e4dcb069a1f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8715667a312db8e2c19bff6d045a304d

SHA1
f42535de9d57c58d842e54e123a3e79f9286e3d8

SHA256
6f654445aa028ef7d79815e65d05a068607b78fea7a1b5242e9e24b65ea031ab

SHA512
e3f4a0bc3ea98f6e48ece1cd2faecfa1706c920ea9a0dc2c7174158c736e4aa454ec4defdd1b8d11216152cccd113f067214873c426e44bfcbba52bd330b72c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f654610f79783b8bc266bdc7497cd487

SHA1
cfea78313c546432de936a84026f06e5da728739

SHA256
0023c3d65e9fa646a35c283227018da420ec363e64effd854734bb495dc6c9da

SHA512
5ef1bb0bc8979aec0504385bfd2254ab43e6931b2e0d640d510497adbcd6ea3cb84e43011b2f782982f82709417dc10f4c5ffc0aed079998c8b9317fcb6db2f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
20edeca5fa495b6e366206b5d109eb6a

SHA1
f4a405a943d0e2979def6dc74be7356a6d2b8990

SHA256
4019b25fee9816c716bac6f85ce6adc874c389323510638fe05de34b433d2f14

SHA512
70f3e74a2838c891c7a090949de0c30581ea26c5d610957ba6b201537bd8bd2bb99ec65f53f7bab56ef158673c1e581bc772d5f77f2ec7e407ac06e7e484a877

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0b3bf1c34c16e5009770b5e6080b29f7

SHA1
fe57c6b4b83551b92ed79ffd0031374f8dd51ac6

SHA256
cc6203e22ac892666f18533976c75c00474a3b301b35519bcd2a476264076d52

SHA512
69f853e4773b064e448da4168c2fa70d6c30c4582462d426eb12274897a64c3a0da548f48ac71cae9d39e4ce4222fc50d58696251abab5f2d734f4a1efee4ced

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6e1db442e9a167cffbbc498df82f98c8

SHA1
f1fbdebfa82cddeb5f56515f0468a135c32864e5

SHA256
099b4b49b68dc7e80c83220b08ce20708a39de7c511ff414ef8e8668f2d8be17

SHA512
620e371ab8a16702a76ecd7b2680d261779ae1c7a1c1a47dd136d349e62a9d01ba400701d615fe83e4a5464332d082d6ad8dd91696df89b49794b81cb325e2aa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
380c08aa258b8902cd3fb9a74f5733ce

SHA1
9beeb0d25682c23dbacc57e2740574a466ecb3bd

SHA256
b76d86ad3a088a13a2866107a8d14625aa75007b184387bed541ee0e4d9482e3

SHA512
91e3e910d053920bdae5989bd4f7f69f337899de9ad57923b52408bb3a1c785791233fd3cfff49e1ff59ae98385b4e623bca01615b4f98ea08129a4596c18978

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a34436143f0c7c390e0f7ec41fe6511e

SHA1
0cc518ac1d28e7f3484c91667b2a10c78214daee

SHA256
b8568263b4668248c69a64a484dcccae34460792b39aadbe407adfe3240a4f76

SHA512
224014a60c7c3679930e1d33d57b79499eb2240613b55bf468ec9fd50d67fbfe2e6af66a38e504e72b54ce2463792c26d216b122461ef5640c0d32e9c1897409

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a14dab3018c74222ea7fc97a29a2919a

SHA1
6bb9e55b13ab4303098867e8776cfcea036dd912

SHA256
f170314520ae4f9716f1a80ab4bc7eb681b1f4f1cbb7a4435efbe2a63c5c5bc7

SHA512
977e3f533eee5bf2874cfaac46409e3e28fd7d14cb01cba7b53441dda51359f48b039053d5503bc474eda6a4664683b63dfb03c6a22ed7c50dabe338c3a57759

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2172df9b5cad08eabe88df027a06969d

SHA1
da00bb29436248ec2545622a080370e441436c27

SHA256
a609cbe0706eed72e9f435a50f80445d0956c2035e55f21783787ed1f41e5583

SHA512
e1e271ade9a74edae68d96c2683680d82f8a1763d52c1a33f83eaa4c97b3e50806034ebcfd2703ecc83000963ab3a83a4364d729a971f9e2cf781cd1b06e1c73

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
861a84682e85a4e7c90ca4a203b5f086

SHA1
ee1d97c13829f46807f05e4c644cd4c07dc1fcd8

SHA256
7c33183e4945340010c87664f3ad80afc6c9b83427e4563696a05cf138b78301

SHA512
f22b7028cc1f90c13262b94e28afbc2ec3974369b21fd5fd3400c28d00957b5d3c022533a6bba87009689428d7af12e54ea787885e05db5773d063faa5d40579

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
437d77f25ab6fc685c29640c7c6d29b8

SHA1
3a3cf56a62794786b06438dd7cf31eaeb80a4567

SHA256
b6212450332a4ae8008765183cdfc127b679a165d63079b3cf4aff3858fc3b38

SHA512
42510538c6687e5a144f7feab3ae516a8da6fd7ecc8c4df3639d4b0ef996298bd9fd9b4269f0c6cff5474c9b8bec5594e02a7750c3f7c5e995dc487be0cbdd78

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
482177d69a8e97a3dc75a4e18e6c922d

SHA1
412b2d6d0d04b1c22cb637b2b1be36322abddf46

SHA256
349923056efce6476d0464c54c1860fcb54629f52661b6f517787221db83c154

SHA512
8765f4fcad7260a6fdb6a709a97d1c39f2e57f36fc5cf5c9c829d9373c42b3a655ada16b45788f73f9e5d86a1dd031d813872a623021840a5682fbe7da4bb184

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ec5e59ca81ff8b7eab6c45a2f4118aa5

SHA1
7eeb3fad16acaa799ffdf8345b68774d740a39cd

SHA256
957a7ed3168c3a967687269b0298b75bd3439e21883542dbf71f23e946361716

SHA512
b3da14dfeef310dbb1674189274446027e7f7613c31899bce2d811254b9e898883d7cba60b49d8b22c73c2ac9e1fdb260f45a27edea2b41dc78ee646e2fab72d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
83fc403bbb34e8f73b829687d801b139

SHA1
d9369b83baddb9d171471882e7055ac9def0eea3

SHA256
6139d0ef3826c330cf5566175f4af18cafcc5c5e22c783928d6240e3c4b85818

SHA512
d44b30be46a53dcd47122426407584ce081b9e34e9e840a37cf960968f33e46e8a9ec18c8c23b3b2c984610da7defa07f25ab502b51a6369b447d1783778677a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
40c3f30bda0f3819684be20ce7cdf1d8

SHA1
a17816b2293eeef15a0da701190453e20135ceb3

SHA256
d850f550c73801b84433560c0388c01a40d50122ed41ce3a5a3b78d606d3db7c

SHA512
9f6b3ac591de230b61b38ec3b50981d73752e548b150283d4a7a3fb3e750bff504a069e435fac1eae86c4e1a12159a42b98bd4b601be9eea3f0c56036454e1e6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a7cd26234b3bb307ba6d4fbf60bc2f27

SHA1
247beaa4d3fdd839bc29fd3afc79de44b693d7e3

SHA256
a432c3f134ccad7f71cfea7e575335ae3439d4fdc564a845e9b874f1fa9f5ff1

SHA512
d81a665fb98541009529cd935b3502e86b302d96d4a87106d9416894593b22b7be187b8eba2cc97ec216b158bd2a294440d13c2ee04234a07d59bca19afd05ff

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cc1f42c379c39b4335e5ebfc23c121e2

SHA1
79b5565e4b590a229db7c5548b78aaa82d38a27a

SHA256
02cb1d440b98f5fc3400f92c6e5afc20805c57456b0ff315b838d25f86a4c7bc

SHA512
d58ec067c8b0458e9a976710486dc9d5379df690ae3a1bf81307969549033759d759a3b8bacf3485d39f5f58d186c9f39b1e530649b3c2296938827e0470b290

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5aac5e0922a216f64cf559ab05d9105b

SHA1
c17f6336e9c6c53ce7ebc4d1dd8bedfb408e6e3d

SHA256
e361e1b4287d6a91d42a7fbaa5ea6608d92cad36abbc06208014237aedb8f6e0

SHA512
157aa58cd2d421c1d25b495ae59c3d7c62988a0d66c210aeaabced970a54923195b6aadbb5c739af45e0e2c0ea9ecae52e39a884aecccb1c75039e30938f841c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
02b44c2fc9cebd6e867f90cf0f17726c

SHA1
e6eaaa908fb820d84b7141871efc649d0e233a2b

SHA256
43414d3b216a3a9323fbd2ea9a9250c2e9b788c83399c0517a0891561f6e34db

SHA512
608adbd103f8a6827a4651253038fdbede05b790ae2136bf5add6d9fd24a6f3da30c075f9ab784cca0735afdac4e42d590f7c6aefa39b4bd1970d3863f7f18ff

Download Submit
memory/836-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/836-492-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/980-150-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1400-165-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1400-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1956-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1988-327-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1988-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1988-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1988-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2104-499-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2104-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2104-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2104-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2528-96-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2528-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2528-146-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2652-147-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2696-151-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2828-149-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2876-152-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2976-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2976-164-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3632-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3632-1-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/3632-8-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/3632-338-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3632-93-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3760-84-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3760-90-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3760-94-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3764-81-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3796-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3796-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3896-136-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4136-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4136-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4136-550-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4340-31-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4340-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4340-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4340-498-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4452-154-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4452-553-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4488-155-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4816-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4816-156-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4904-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4904-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4904-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4904-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4904-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download