d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
Size

1.5MB
MD5

981d6339bd853545cee4da512c7cec9d
SHA1

236f49539fd7c17fa3c89661bac8f982d6946344
SHA256

d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c
SHA512

7fe64d967b7fc4152ff471ff04a8f9769c0a8f7f522f6f2cdcb0ab398db911440ab93f71c40e4867820bc856172a40eb4815e95f7dc4939967470b95a3ed1833
SSDEEP

12288:36cb2FDvvI7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fs:lmDoCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3004	alg.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
2388	fxssvc.exe
1040	elevation_service.exe
4208	elevation_service.exe
4068	maintenanceservice.exe
1516	msdtc.exe
3868	OSE.EXE
4332	PerceptionSimulationService.exe
3824	perfhost.exe
4172	locator.exe
5080	SensorDataService.exe
4196	snmptrap.exe
1520	spectrum.exe
4412	ssh-agent.exe
2824	TieringEngineService.exe
2396	AgentService.exe
4436	vds.exe
4904	vssvc.exe
4072	wbengine.exe
5032	WmiApSrv.exe
2376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e92235c3d29f71c5.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\System32\vds.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93515\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdac3e41a5ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9505b41a5ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a006b248a5ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ac13241a5ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2372941a5ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000617a640a5ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d67d348a5ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008abbae41a5ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4084	d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
Token: SeAuditPrivilege	2388	fxssvc.exe
Token: SeRestorePrivilege	2824	TieringEngineService.exe
Token: SeManageVolumePrivilege	2824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2396	AgentService.exe
Token: SeBackupPrivilege	4904	vssvc.exe
Token: SeRestorePrivilege	4904	vssvc.exe
Token: SeAuditPrivilege	4904	vssvc.exe
Token: SeBackupPrivilege	4072	wbengine.exe
Token: SeRestorePrivilege	4072	wbengine.exe
Token: SeSecurityPrivilege	4072	wbengine.exe
Token: 33	2376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeDebugPrivilege	3004	alg.exe
Token: SeDebugPrivilege	3004	alg.exe
Token: SeDebugPrivilege	3004	alg.exe
Token: SeDebugPrivilege	4108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 5328	2376	SearchIndexer.exe	115
PID 2376 wrote to memory of 5328	2376	SearchIndexer.exe	115
PID 2376 wrote to memory of 5356	2376	SearchIndexer.exe	116
PID 2376 wrote to memory of 5356	2376	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe
"C:\Users\Admin\AppData\Local\Temp\d3a6734838a2e242254fcd64ce11c3ca162ae76e1bf02e880de11451c1826e0c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4268

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4208

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1520

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4192

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5328
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3984,i,7761714625659357865,10802238739796857379,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8
1⤵
PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\elevation_service.exe

Filesize
2.3MB

MD5
6819a8a75916af428fe7978b124d0c10

SHA1
7c8937b16e5616d916e13a91e8d231b00fdd194a

SHA256
d341389a917c92006adf7e0e9ed37054df0d17237caf10492178f19e34dad849

SHA512
da3709a04c1f8b36eebaff7113ea635361c7055d8e69ae9ba5ca65a112ecf92094c925f7d66480105c7eef5e9bfec4bb7628b0505c08005b57001a962ed59ea5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
9cec2859bf4f66d0255c624362f80ad4

SHA1
847901c0f8463027ca700fdef0b0246033d7b19b

SHA256
d1ee0f07c6422d534c52f4c4b9120e811e3a7bfda637790cc4b20d77ca0c053b

SHA512
67f75c29ed67f4012ae07e18525e6fe7a7c8582be7cb8aacb9560b582ba45093de630bc5b8b35f996a79c78450600c86076b0e74d57efae4dfc126fc1ca4b663

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
f5e7adf9ea6279ac2b24698fa461e903

SHA1
c269a80723b23541ca56a4a341920d6409982fe3

SHA256
35ea8518d8fd1357bb9cf031fc23fed44a4e3eba5982294843351c0f2d9dae85

SHA512
f19397fa3a1df358aabc30aed10a88efea8ad08c5a01859065a8c70f4cbf2cc888cf1cf4e1c76e74c6a91d9fcce59ca3f4b7e8d164b1cfcfe8eef9585108bc66

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3ca5ca3ab1ec9605285ca8811c784fe7

SHA1
1e55572f3a28c445b0c9fe34b9b73eeaeb42a806

SHA256
a4133553bebca9d2fbf7299832dfd738390bb5f535d479a48ceb11a755ac7410

SHA512
d83f655b41c5b6602333b6063706fc9956a071da48cb15093f40f60b5dab7953777fa1ff517f62a575f56ef6ff22fc646e618f529e4977d79f2eae8cbf123b56

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a84701125c5b71473b0905539e623bef

SHA1
fcdef366d3f6c68563ce09ea20f44aeb667d40e3

SHA256
7c394c3e74d3a967bd125ee3ea5281b2372c7f92748198af334a955584b84677

SHA512
a368b1af0717f603562e641c28d107bb80c90c183f2124f4f5904e75f2cc094c711df4d3010e80bd3701c22aca44d3007b9a4ea2c44435240cf80ae88b004519

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
e73be2d80976c4c80091ab0f17d1dfa3

SHA1
895443328e7c89f2aa1edb4803a166c7821558cb

SHA256
d9a2b3376195f76d18d9dba096c2fc986dfc4d1184b4b0b65e6e3fe6add8aed7

SHA512
d8e40438e6135816c1461a66c553a718289b52e5ac47cbd85dc6dab06cd432ab14e408d7947118c97a54565a56c701c8b51c6c352459d4a4d2b9a63c46f495e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
1e5165e065bcb356027c94c206af58f9

SHA1
d80f2295ff52464750c21ce392a46a92c90906bf

SHA256
1b479873652af8a0531061a5c98c0554f0356ce1a41e281c7ea10bcd772ac405

SHA512
cefb7cc7e788266aad9330e8d4ec6412eff49b01f197830d8368e90ca42b72c1796135d79042ed110cf6e694f86b49c6ece6abea9d654141e3194c93a27c46e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4ffae3d9854cea4691cbf7fe7402ae54

SHA1
fb7992007488f7d7eeb1fc3a05d133b058f41269

SHA256
3d7b2472601db7e0aaba4fd1b81722d001124e1a315ba90d51e297b4f71bf8a0

SHA512
ea892e3d131ad7c78f4450ae61b1bfd26a67f66cb56b811ac0769554db81b8756bfe514e6461dd6276ad5ab7eb28bed85747f77f9ffa6a44424ba9f493cda30a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
9d3989bc06b4c407599a05bf7c575166

SHA1
1d164385e884541e5193f2b2c6df68a6000d82a5

SHA256
3e68ce3ab7b551197f02ef188bb626713d22d746af7d2f14fe4c46ee8d8e24f4

SHA512
51c06f2de797a260fcc9b6d7e426d6b50d4d60c62f000fe61154694b67d4c2ca9425c4e0db3d970601d9d199ee346ac8ea814980f6fc92b2fa77fff7e4cc43e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8590a2954bb8158769b9d1dc79ad109d

SHA1
cddd5224281db95a5e7ba7ae750e464542efd11d

SHA256
8c4aec567559c71d0363da2e10b7094cddd6e4b18f10be2977dd2fa8367edb44

SHA512
cf01dc5caad216a734c8b513ac098cc03e03e60b731b04372077e1848eae53652a59938947c0b39d73eed362e568fd703375aea3a8948ce5970f3bd2c13e2b2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
056b7f626f772ac322f0775122d22608

SHA1
da1ce166743b771b7fa630f6530cd26fd5628207

SHA256
3f65aafc21913498e944778b48ec8a517d95a117857e09bd273d13bd0e47a44e

SHA512
84065a08920bd5844736335e6ab51a8816f2c1bc92ab9ca92f8fb9aa329741b623ece2e9d47a9bb4942982ddaacaa9f2940ee278e452c7a89d6be7223915b4ba

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
23340653860cc2c28ac9bc7410f7e43e

SHA1
d6659efc392688a07b0b325d0cda256b0929ee08

SHA256
efe8a1cbd638d6f49be10615a15f014a2d6c6f2efb66f92f125a49c76ae25818

SHA512
886c97aa5e38476cff721617a279bec132e1d78ff7f809a50b51f882a5d4d7fafe76b68379831f9ee8e2ab332dba1f9055d88b2934653cf4e6a88707dfa7f732

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
50f97e8fac6a901f757892a89110bf82

SHA1
7414e57adc1ee8a840f34e15c810b15757fe1e4e

SHA256
2a12a780ba5ea07f38cfa6f6f2e922ab1c7dc52caa5904b4729eeba4bdef8f75

SHA512
b64d44358cc83a0a5f9dbb5f69fb98df9aa2d468d684f8b110d60c32f6ae9c1cb3d727819a0e8e418ae6a639711690da6e525ee27549ea0d8684d2f385814d03

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
36344d4381098dad47eb6cfe8f40c2e5

SHA1
61e319bb84834ffc71a441fdd06d70924a802f59

SHA256
622afd505927d072ebe5a12c63995b232f7682583e141f77480313c2ebbb1fa6

SHA512
5d21dfd6caad26765ad37d1298796cfb304a531a970e4b0ab8c3de016d52756215f1b398e9b4e6e55a183e1f35d9e1491a4975cd2de7d29815b39b869cf7a583

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b71bd28c5171c6ba222bc555e18a8258

SHA1
f665eedfd39da87a81e12b3c02df5fa38b862f3e

SHA256
c5bed41c2bd08a17b514f34426ea946fc8513b275820b531b061140297436a78

SHA512
3d092ac6b5fa91bca68b1dc9fa03fbbd5518670f842268eddfc914bb578128c413a450c2d389d59bdc562ec1c1af311733964c39272c5eed5f0304f10e221180

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8cc925da0ae39bae1afa843f5d76600b

SHA1
f5a959707d65eb9b50683a54b05102edb4ea860e

SHA256
d1f0796e2690b570b29c4650b7dc20347ca1bd90768a1a9fbb97fb564261366e

SHA512
2625a6a0117e87df6b2118a1fd117130baa7a4091798716de8f417468641a12a0cc6bd7da85b6eee4a3848fc1538a3bfec338195b54fbce6137d8906f88f3bf0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
40bc01e8f6614df3bde6b4e581c92b0e

SHA1
b39be9f5968958691360ec5a14eecd8456d51051

SHA256
5d0a6c24aedd5df0a51a3ec34966e76e9473579451b4b8ab38f35e2134c77b5e

SHA512
66d293615269c43081dfebd9c5101a3c9622162b817e304007e1ce40231ad8fabf3b98bc30ec0d993cbcb9f8370f84552466c642e33b387c27bc4b78086d72b9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1f107cbad128b7313bed6f0e771e06db

SHA1
efc4f7dd70fec5cf3304c456fcc5d283d0d20196

SHA256
285f009fd3b94d669691194c4621051e548b90c547b4578efde15a9c104b61f4

SHA512
d1fcdd317a88b99703ad88e0d064665cfafde309417a59321249ddf08d4d4c0e37d993538ea7699e8fe84c93eb61957191bc9688d986934fcb2734427b47a86c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bbecc2eb25d99b180a539e3961c64eb5

SHA1
c93592d2a8d8d907f458c52bd110e1b7447f1541

SHA256
b1586b1e4607ea429da35c000f647c64f68cccb42006922896175fb7be2bca9a

SHA512
2def260f6de8751ef093a4cea960836c92212af1f1b5fd8a96a3bb178d4756a4888b2336709157685ed703200494be866a809c3926192754c51cadc072f52335

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
998bf009e6d1e53971deed74e2589288

SHA1
cfbd0ec47d55cebdc7ad0b69d64127abb4488823

SHA256
91da0769ae7ce43c9a3013dd39518157a4e79b24997acb61d427993811b03fab

SHA512
f61309e813054789afa598ea61bad85a41061bebe4c6bf4402ea011354414534d0a86dd961d0277b81a6922f6f34d27c048ece68227639d59f685d1bfe94533d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
9a09adf1b2749aca673d2a70398224bf

SHA1
e2fb8759bab2bd4df77cd723f8e392f8150841bb

SHA256
4dbdb351e662c650534bfb2eb0a8b9d0dc976bd91dcd8d13920c21db51648301

SHA512
69aca3290c61623c3c22391d87e23785202c204bba9eb5d809962fe92429e9a762f145e9b1c7f7afbf0bc220780081f6b41eb77c7e0fad246baf556015267adc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
9959b9ca3d22078d5578ab2ecdbe5120

SHA1
d323361177bd5a8b8a3badfea0f523a32c6dae0c

SHA256
3c5db4c6eca7a903567985510559f94b7c0e94cc2b14e3a7bfd3c25860d0731c

SHA512
b65b5a43f3abbb4618e87d10de13364ae1bfb55e7d33d59d21712e426c4524d24383cff7683e48a35c5d89ce922e17cbcbfe7a64819ac0de8ea99df03ca9d14a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
89117e4c6a9fb4f24073ce648c576b03

SHA1
a69a64f177c70240867e184874bb275d5f22fe0e

SHA256
056eeb8d5e54c9afe2f7178a2b70752aa3cf1c4304615843e7bde6df9e9c9c26

SHA512
f7e595c2bb6d0c36f2a703c77e92e769054c3bef0a91a076bf98a801c8ed9b0f55fcab12c7c0f56e19d5a6674d1b0cdb90d0673cd2808cfcb1b6593653187dea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
4e10eec0f183763e0c21bb0f10dac482

SHA1
57e7403328a9d24989b0d834404160abcbc34527

SHA256
542e9ce403b56b1d29e5eeebcca4feacec3bd8106ec8cfc940aa1438b5f875ef

SHA512
874a86106badc04c7ff87d13da3f8c6ab2dbe492afc29b734ec274150514d12028a19b854c913433d2611be8ae8f3049a11547cdb5530b22d3a8ce18b71db4e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
3f5f4683e489d9e20beaae463b5a9633

SHA1
dc95f8bf7366f2b932796bba5d62ce6f61c52696

SHA256
03b367a28d0fc9417cd0f6c1579265a76337011a3aa482d0908efc8baf5c56d3

SHA512
19115b58c8e4d38420ea66f3c7b9c535ee1c9ffec8a09e2d2076eac8ab49374f00ca67b77823e106876e5a265b0a02b9ada3a79077886e93584b1185db8b687c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
7ad676be9336d590fc1681039e9d56c8

SHA1
b7107fd163355afcbedaabd62841eba554d2768a

SHA256
d51e2b92c6ebd0c8b1c611b9d0d159cfa73e30a1154fb0babf8b715f20b0cb7d

SHA512
857ff614a89d9a4235482c17b9954e6dcc2ac3b5813e823bd18d81446337b08d0a71765bb639011e2d1712bea0bf0057cc66a21cc50e4ff21246e8b8ea4647c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
7394346e33f0ea2faa32ad3c05cf5472

SHA1
c4a03d10480668cdffb589fdb2e029e655785168

SHA256
22fab21489308c6c9873620a82dd56505dc517bbd06ed204e365d4839cfcfe11

SHA512
557634fe387d91f8690f236e2c084ea7e5eab941100984f00e1c62fbcd142e6695c2a4377514d8dc74a05c720717de4246aa32cb1cf1d27eebdf6939743c59b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
4790d8f926a2a6b778033b09c4ad508c

SHA1
27706537e59edd528ac368f290cfecb1795a427a

SHA256
c0eaa6d5a8d049606e611384136be369f550a2d40a02d39801e8f11096cdca9c

SHA512
5d038037452e0dd53cb2be72ce2ad7a819ce96684e6d06c467c6eebc7daa010cf6f7181e8ce64bee133de44d547dbea482fdcf9fe9b7539ff3bb1998988675b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
4f19307d5895db13cf9922847c5f4089

SHA1
fe89ed39211480e379b2d1297f5982eec7a1a1fd

SHA256
ebf421223a4ad98636af681c3937ab08026b9b8dab42d489ecb3aa2c4e16cd35

SHA512
f58dee1b83a294d19c32044df87e397ef9e94fed53a74d39c344679b74c67f6b3de35fcd2b394135460cfde1fbb4094e676428ea088329d9c1630ef5e1ee42ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
b12bc906342e9ec49faf9cd51b584d09

SHA1
e8d05d771ba86ab1fb8566a1911cfb301481b48a

SHA256
cefda6ea195f207fde887a9723e23d084af451a3b8997ea8ffc746969f3b16ff

SHA512
dac205593719fe28bb49777f9e566e5665f69f4871410dddf71adcac900b91d319f8dc23bbe50d492ac7aefcfada2aaf2f7594969ed4fecc8cc6d9cf3baa8b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
9fcd098ac7847e93b7b67e4ffbdc9c9a

SHA1
2b5bb5783abb5cd5c8db5d8ac5caf123e8d5bb68

SHA256
cf9ff67ee28d6257e5be15a0c82352f66082e1a214f9e6090df68c5144ce3073

SHA512
05a2b3cf8f559c9c3a584910a9d5099d2448915b62d2e5398d640bf93a8aea4bb4461cf181ffcbb97892884435109d380f9cd00f7e932cb9e43c2fe26e06e10e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
f019772b3ec8f89333569b49024de1c2

SHA1
6bdc2b5f9ebaaa8a609b5917fa9009f5b9671166

SHA256
3135bccdbfae04339e9b827471c0571ce784c1211e78370414cf8cf8b010e4f3

SHA512
9d9c30c6f00e6cd0e07a71b6558afae3c75286cc9c4ee210569b83f4444373172d8bbfb5c13948b59f019a022b5e86bfcb70e8bd8c116f33d8014fa7104f5d87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
c0bd7d6e0569ae59259fb49ec1433eff

SHA1
b95e00e885cac80be7ab8bf56108279e30385e3e

SHA256
1f420eee2318d9786f92830b8d22d6c57cfc08857dc48a2879abb2fd498c03ea

SHA512
65d322ea8ebfd0ddbbcbac9abb57706f2820e73ea96b247cffb2b8d4769a8646f5c40ea56818ea685ccb8cf9357d961945ac147ed55afa45db88f835e94e0cda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
edc7612d9b579abd3b15259fda53b2ad

SHA1
97475b14d03a788037f6fe7683d4bc6b7756b815

SHA256
fb9b7cfed69346e034dedda7586fd32244a7560707bfd443e78c2242f1c0b3d7

SHA512
b75f8429fe3d7c8f2a69a82defc8052fb54abd18fff8f2c6ba75dbf93cbfedea47ea383700c4abdcbe7646a0fae62c804350c0e31c9bf75a1b6f3a70c861dc2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
bc75d30fa2c2d90104a78814c8a89505

SHA1
0a4da4cb841f82012344261819395d67eb0013ee

SHA256
efcc55c6512009cfc78e1e1ff4eb94c785f16251c00ac77bd3bb2e65a4c875d7

SHA512
7ca418db90c9ff76e8ea4385b423ab03d0cdb6fad0abbf032a2dd16169ebe15965857700340f492b7957b074f283003ab2fd3cb1d452b81d862947c3c0700be7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
66c8e5e05131898036fb2fe78ae72255

SHA1
6cee33efad1a91f332095a53654f0668f6864da9

SHA256
0869a4f0a780ce98ca7559a019ebdc954052542694e0af95b6aaccdce5b2ed16

SHA512
bc26534034517fdde8ac55709ce439d3f9cf0f6a55f49f863479063a74711c39e6765652e8a85af3591762a3bf1b390fe89fe587c00c4c5c19a38c42d771c415

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
8ddef3e94da2bda66dbafc00ccec5d1a

SHA1
d3d9ff2baaa695223dd6851d4cba49a3152daac7

SHA256
b575a79121efe4e94729b84319bb1f471dc1f46e1a5157d7f7816d54ee2e0cb1

SHA512
8af441e9c91232541aeea39f818ec938d1cbf36490110dddbf388744b2d1a5f85c88a085a5841418e40be50053e8104967c463364827bef64f7efb6c70b99970

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e1a834680f7962f8ac59375e833d5ae3

SHA1
7cb33286bc9235ed8887a9c1bb13a6c85e741aa1

SHA256
4b02312876cdf340c0ef4961cfe87b20c4917725f1e7dacbee3e0d41b0d20463

SHA512
ccbfac5890366942bb4ded6d97fbdd96f95fc4262539ff16e8f2063bdd49ac2c32d64a20f83c46e97568d2458c8d4b3beecdb3eb9b8aa76836862d91ba31b970

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
5d1d15bc02c84c1271d3eb146211a9d8

SHA1
6f99f13f0823aff42d6575212c91d4a723a31808

SHA256
f84188ab66b20e5f08d1060fc28da6cd9741bd11d9e5d919aa0d14f2217044a6

SHA512
20dad672901b05c1918b80db542576b43f120e1d2dddde4a92e7652e2587e78e38ff6f1d16ebcea3a3e55eddf82c8d3afa4c79e664324d89dd82e1bd10f9ed45

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
94683277b988ea4cf187afb770454425

SHA1
7ced85333d73caac23722e29471701c634c4f96e

SHA256
a56a21249c161e9069e03374033ecc010c5557e26f71bf57ddb44adf19e31d25

SHA512
b50bc0683a8ac07934d428df7f366ecfe651089f0596927fa68b84dd880c57c1cfea43367d3343d87075dab22498e1e5e8e1a1241df30354911334f988b6682f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
59fa51bbdb31f514c592d938fc6b04ff

SHA1
7a3a5383e83de1bb3339886057d51a871b695adf

SHA256
0df5a50c982544abdd2c584c482abd30a5c96921f9d0607f062e52f3e49df4a5

SHA512
c5f02f29b3867d89efa3a6b2d08dc8dcf6ad764d81eac4702679e868ac0fcf7053f2631474b389311ef9592d55fa6eb9ff42de120058042132880b4daaab6645

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b3be8c17868ac71301776179619f8e9e

SHA1
7b9ad6133120af6a3ab5cabb628e35bb552c32c4

SHA256
8703c0bffa1f762114dd52554cfb5c3f6833f280b15e8f943ccbbbfa9c252a89

SHA512
071ca0374a36bb21d72bbd87596b37fac89119dd55f88b183ad233eb934811086f9e4797a23952cc54b6e526e1fa0f3b88f24f9d1c9491df642b854c61375f05

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dd4ef5090c011dceff32e517edc674ce

SHA1
9e146b4e1e7f24b67b6a38a03fdc6ad075dce97c

SHA256
0e79739447493db6d8eba4d85df0a2f066010fe2e298b57ba9f83b6ba7a48b2a

SHA512
c65bdd323ddb12f64deea39022c3d310bbcbc121655bcb2215fc378949f356cbb27d30cfadf9b76b42ed4c84fdd54b47bce859454a8da7d6a5dc406d8b456fed

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
23b8f0e30b3e1d103932a15373fb353d

SHA1
7c1488974366b240376749d55edce44ecb904768

SHA256
6133519f2ec8d2e3d1c58018fe5c09f2e2e06ee4dd9e784cbe14b5c604ceb9ef

SHA512
01d3f20e052f3d361bac54ef683e14e049e4e3e2b8fb8e8558184da0c546d947181d1aa79992178dc997ab01bdffdf961707f05bee4803551c5113040c702cb2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
5ddf3273d481a7f675d8527cb0fe41fc

SHA1
4d30d39a169bc679cb8b8f2870ad3b077baac6f0

SHA256
cc456fd334fa08c0ae3226802fad0045c9f72dd545e5cdefed9d1a8ab76abd80

SHA512
2f9520b5e5a64f801a6ffe6db352a9fe4ce45a2e6a7811b217dcb99b5cd4c5315920c5b7c6fd9ba4783f2cef8bc7ea31098a782be183dac699a2f90be77d9f5e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
2fb6772453bd4678c965661287a2e013

SHA1
18327d7fc34092d354e4a111d0b73326801b690d

SHA256
98edbea939b17d8ec17e5afec83c4ee481e494418c22a8996ae7edaa2ce15f87

SHA512
8cbfc7fca8fcb381430b77d331f791e0aef98be66baded8c7ce506385660b79a077de2a8aba669cfd6572f1fb3bfcb7b0df51d4779e37e027c18967b7dabbde8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
52cb6b7b639051f45941a73e5b5e9e0e

SHA1
db8c7dbb8590b19292ff43bd3b103ce26190ac9b

SHA256
5a30c72fc5657c9b2b2fa18ad294d76eea608d531da74281cc790949ef115ef2

SHA512
ff8f86249a4311935c0ab4ec478d8629f2e54840d7817e362def9e1c38b9ebbdfbdf6dc80811031fd73e29320495e1c92b14675f211310a59bf44ce81c3af1fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3e8a17789ca2c912afd0cad91b3aa91d

SHA1
899fe18974d7d761d4ffea41ff1e9f960d328474

SHA256
992981ce53b725174d6b1206946d030340e92fc75ca0917d080bc534d723d464

SHA512
a526af50d132c9957be46e05140593ea9a43d9c2d48e5e7e0d34771afe157e53e5c626d0c0e359e0defd2fd8bcf309723e33f5e2df314de6d9670ccb2e47e5f2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8146b68a4c430aa2c473508c2075e273

SHA1
f1e0114b835c0b34310e9cfcf514350358c728d1

SHA256
12ff848d5fab0f4dfac4c02c341d31a8489f0042a5f6f596bbc061468cf1f621

SHA512
3e167f00d6715558f3757ed01e24d8c033813ca13275dd8508b13f816cb82561f5691ea85326521ed95792a9ed12b4de53f88f54f06d160bf2f402bce5507071

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
88c69d788823f1d5b5d03fd3709dead1

SHA1
97771487cfed80432b2cd8c9a356e824843e2bd0

SHA256
754980ef352240d666da93cd7b28bc9335c9a634431e5eecee0a39c1854f119e

SHA512
1173b50f5642e86793f6dc385a0ee76013473fbb3073b0536fe399fc5704d5d0925facb4ca2f3434e115f3aba81a72e2d3e3f134d99f1bd364e79b27886498ca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
300d5f00e4a17927e802f5fb8db0e666

SHA1
87c25850fcb313b6ca85a5a63265832d824f9d1f

SHA256
c3472fd9292a87f7de91f06466418479660b229e884fa54fdc5585e2899a8a9d

SHA512
30dd6f54b6a838e2f1e90deffb77f3ad43edda9dcacc3e4fe14798e87aee26fec6536f5e06e93eb410efc20d7623a096e57ac413147e7592d97d48220d4ac027

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fd966b7bc43a753cae04487b7acf3a43

SHA1
8b22609e7894725e348647a639bf43452284fc3d

SHA256
b86793ec412ada5f9c3ad27e256e341df2e93e6c3fbe87fcee00f72113d778ba

SHA512
95dc3cc4336f064b270c6b44fb056b910b04e192aa5d36d2b6ea049a2582c1de9ef7a80914f660974c81dd3fb33ef9dff5b316db2af937a76ebc59a9af62ef56

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
edfbd988195fadb2593d2c7ea9ff0b43

SHA1
11e8449b62435febfb7497f669bb4a0c371bb1cf

SHA256
a6f1ae6c20d330880ae650811db6ae8431d07e86069eb7e8be1705b56e88ab3f

SHA512
dec0234c6894c582184f531a8534896e89a64d875e454db25e9558e5c50c0e5eb42f5a72ff47e80636f0a5ac385e2098c5a29b4424e12a74bef56cee70069965

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
b439021fb1e37dc6bd682feab5354318

SHA1
7bb81d7056ff6cb38fa9595a011efce391111d89

SHA256
46aab8afbae694b60a609a8df41b43d8c5ab80fc9c9de4c020fe3437ceeaf19d

SHA512
8d199eaa1de0af66326f6a6870258b63a9618497e84748ba051ccb4078c736b5b1eebe68931c336fbccfe35d2b07d768aed62743a38408f69678156d8433994f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5e32acc0649d6345b53188ce378d4fcf

SHA1
545060ffd0c4bbd94aed070900b1d55df0bc6a27

SHA256
a121c458690c55b91f8bd4a0e7c759f35c1ce248550738c94b40f62c5a3b11d7

SHA512
a1f0ea5778871ff7290f63b33c75fa01c25dded93e7585346589dc10e5f890a0429e8dd572240b95eb610cbafe553da102edb4c401faac8b44320ccf68f23d59

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
f3911015729e82489c03e159d1fbe4d9

SHA1
8b8a197f449d861f4da46f83a555ac1846731fcd

SHA256
3ccf09012451b223806932b79c5b1362b899cac0ad04e6b1925b470c11bd5b10

SHA512
0c2237294a2ceaa5eec1c997f5ccf7de29ef598e6af80adcbed794834b2ee8dd8e3ed6b05abdb16e76a34bdb83dff6bac9d3e26c34b5dc8a86f37200fa2617b9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
be761452cf2077e0756fa9fbb36aaa10

SHA1
2185b7928f52ccbd3093912fb7cefa284144bd6b

SHA256
d2bf1c67cc349611bf1ecea1a7f31c9b601fdb1d6dba49803e43a86a54268e63

SHA512
bbeeb34a24072552e77c5843dda69386bd7564880dda350a88809680ed2097ce77cf340c7cff1cb133b2e3ffa095a10471e365cbf9d939fd3ea66640e6a42ee5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1456331870a4594fc559735e9965a4e9

SHA1
b0960fc894cf079273b013ecc031cbddfdf5494b

SHA256
733bac2ec4e501ce4970df536700bf0590dd46df71a9e7bfdb108f7ff3bc288f

SHA512
fead9a84a5bdd739b8fab077d13566fa412b5ac7a4ede96374b3db4d6cf321c1550fa89cf96a965b78d5c11d9bb4c54b9888844e1d49ad704f3ccc5e1166a81d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
494eace01a969e7946005506c6e7369c

SHA1
ec00e78cc77db9b49ea5eedc2aea36be98f7d556

SHA256
91ea0ff19e9aaa1ded591770ef808645b73fcfc5e6256542832d63c2297d9ec0

SHA512
0428d318988f283e06ea1c50b3099cd1d9b0496e28a53cc0c61fb5d7485c287db88c54b384573411dc49e4a46d8437dc30dee687a0dc1d8da33bca00a62f3776

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
0186200b8d37ab279903e3e5439dde27

SHA1
9058e7f8a32bf8756b5d0182201f04edbb3b30bc

SHA256
8620756ae1005ac5e9e6e461f72e9188d20fe1f0adc489f3cf2caedaba3fd67f

SHA512
5e799a08f09a2ab78f711ca588b9dcd9c9200391b73f1d3510580d269434853c839d763e18006b67f69876d3dc90b28bf06a07b84220086c2360cfb3bb07b6f9

Download Submit
memory/1040-56-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1040-50-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1040-438-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1040-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1516-177-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1520-572-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1520-195-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2376-257-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2388-46-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2388-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2388-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2388-40-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2388-60-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2396-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2824-210-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3004-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3004-209-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3004-19-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3004-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3824-180-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3868-178-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4068-88-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4068-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4068-84-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4068-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4068-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4072-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4072-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-0-0x0000000001F30000-0x0000000001F90000-memory.dmp

Filesize
384KB

Download
memory/4084-461-0x0000000001F30000-0x0000000001F90000-memory.dmp

Filesize
384KB

Download
memory/4084-460-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4084-8-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4084-9-0x0000000001F30000-0x0000000001F90000-memory.dmp

Filesize
384KB

Download
memory/4108-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4108-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4108-35-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4172-181-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4196-192-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4208-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4208-82-0x0000000140000000-0x000000014025A000-memory.dmp

Filesize
2.4MB

Download
memory/4208-437-0x0000000140000000-0x000000014025A000-memory.dmp

Filesize
2.4MB

Download
memory/4208-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4332-179-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4412-208-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4436-212-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4436-573-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4904-223-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4904-606-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5032-610-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5032-253-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5080-571-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download