29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
Size

1.8MB
MD5

52e5a3045aac43c9b2b57c8baac59fb8
SHA1

9b358f79bb9aa01fc9bc86f66bd2e8e3e527584d
SHA256

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383
SHA512

c21f2c1d5e0f1a69b608040bfc46a6d7473c433e52ec0773415d44491ff52bb1fbeef538ed56ab49a1974d681a1ed8f6789c6a4bb5e7b9eb3774f47c001f1298
SSDEEP

49152:ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+MdFrIe78vH/:uvbjVkjjCAzJETjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2252	alg.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
3732	fxssvc.exe
4604	elevation_service.exe
4916	elevation_service.exe
2844	maintenanceservice.exe
4824	msdtc.exe
1864	OSE.EXE
3504	PerceptionSimulationService.exe
2856	perfhost.exe
4900	locator.exe
1932	SensorDataService.exe
1676	snmptrap.exe
2352	spectrum.exe
4220	ssh-agent.exe
1684	TieringEngineService.exe
1608	AgentService.exe
3456	vds.exe
2452	vssvc.exe
3912	wbengine.exe
3424	WmiApSrv.exe
4504	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\locator.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\vssvc.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\msiexec.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\wbengine.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\AgentService.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\System32\vds.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f5243cd892be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_ca.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_ja.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_vi.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_hr.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_am.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_sr.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\GoogleUpdate.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_is.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7976.tmp\goopdateres_zh-TW.dll	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097eb216ff098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5ee786bf098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075ca336bf098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af3d2d6df098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076b63f6bf098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006269126bf098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d82d176bf098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aa12f6df098da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5116	29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
Token: SeAuditPrivilege	3732	fxssvc.exe
Token: SeRestorePrivilege	1684	TieringEngineService.exe
Token: SeManageVolumePrivilege	1684	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1608	AgentService.exe
Token: SeBackupPrivilege	2452	vssvc.exe
Token: SeRestorePrivilege	2452	vssvc.exe
Token: SeAuditPrivilege	2452	vssvc.exe
Token: SeBackupPrivilege	3912	wbengine.exe
Token: SeRestorePrivilege	3912	wbengine.exe
Token: SeSecurityPrivilege	3912	wbengine.exe
Token: 33	4504	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeDebugPrivilege	2252	alg.exe
Token: SeDebugPrivilege	2252	alg.exe
Token: SeDebugPrivilege	2252	alg.exe
Token: SeDebugPrivilege	1584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4504 wrote to memory of 624	4504	SearchIndexer.exe	SearchProtocolHost.exe
PID 4504 wrote to memory of 624	4504	SearchIndexer.exe	SearchProtocolHost.exe
PID 4504 wrote to memory of 4844	4504	SearchIndexer.exe	SearchFilterHost.exe
PID 4504 wrote to memory of 4844	4504	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe
"C:\Users\Admin\AppData\Local\Temp\29cd0faa62a1d59d611800d954dca4ac02e8888bab003341739d4739592ae383.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2352

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:624

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3795f18dec7a7fb273692b9181213033

SHA1
d9cd477d217ce70246762f455098ecddfae9d67e

SHA256
5a58e8cbd1f0f974b48db8773f9e831d231d385ad597bd83300517b207c55325

SHA512
759fca79b40ffb7675e0444b0e6013aa5e06e8c23f9043c41a102dbf8e0448513f0d9ce140daf5cd6d468bc59ba22566d23809f1f3adc79e27a5816f7766933a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
5d415e156cabc66163d5f1170402d915

SHA1
e8df7ee2b357312fa89841c856db71496354c96b

SHA256
6af1eeef172670746b35237575f484f6e1e6a518c0645688fab5e88bb95531a7

SHA512
19bd173153a32600245aa6d3abbbb1288230e08d7bde0741bed69db1220efdbdc70aa8734749a4193441dcb42d870dae8527612c0b0f5220511fe4ced313d206

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
3d8bd82b266b5a244ac79fa2fdeb78f8

SHA1
30fec9a434ee54f7aaad9b0d01c3c6c6f33c2878

SHA256
2efc5fc682d793ae039ac3a36ddf03217a93e1a5335f92cbb40f7e94af9aedb5

SHA512
5e8d5bac36ac0bdcbf0a1d70c026f19920c48a27af10f7d6b2c10a97e60fcd8632b3e36a67a7a424e63a77d5aa86eb452940419edab343a8edd61869335f9e92

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e115c52da438317004b378a7515fa35a

SHA1
83216d357d0f1f0ff19df605dab460e8c87e65b5

SHA256
96435c0ce9002a14bbf4103b55f815f2d7ca5ea3f2ce71ffa263127a24258081

SHA512
c4fe8101ca5642245cd6f78f5a028fa40db5b315b98fdefc551d3c506127fd03bbbbc27729b56557be2f2e67c644eb9d6c5bb6937e9cc57a73ec21438b729d68

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
abd6f8e72c2781a4696b170daceba9b6

SHA1
cc34038f04e2ce9f7f72aece2b896e9791c7c970

SHA256
711e25d7ddbc3db7c757511fa52ae35cac95dc20c34d2200f3c0666b66baa907

SHA512
df5e84623205635e703988d2414db991a03a8df94489fad3005ecee5a49da3c590e8d1aa9b6443a6ee981a1bd54af9e27f35f4f89af2daf64c61d804d466e1c3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
aa42daf30e75a8c4f1d9a0266a8f6cb7

SHA1
b5abcfbe7ede928fc5de492464875d0784d71b41

SHA256
df307d8ce6125fe8296982dc9b13d3edbcc1f508406c6fcc512afa19640918fa

SHA512
aa07a42267f69abacb9b3771bff748b4a7a7f7454900bbbbe6ba2619487a4d5f2b47ddb33821e53e6417e91d7af14a56772ffac236ece0f58a095a556ac0487d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
0f7f6dd856c99e31591b6ce0fafe359f

SHA1
6f523d54dbeb92b9f81ed0be2828b5e6d345fc39

SHA256
2935f959a650f597518dd660b62994b6e4de94ce0db1da405a63512d57d3f85d

SHA512
18da2d68db5b4e9ed2787ed9931d8f6334a13af3e0e426f8d111c36e91a7cfa11d242dbef2c50e18169a8907db3096ad0170c9d5199bc367976d9ea55472e373

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5972c3e0464b591b8625f66f9975dc3c

SHA1
774d91b2644b54f5ef8c67d3b11c9c223bc57b27

SHA256
b1cb17425b7fabb04324cbe0d07a911095422ef8bfa541234a712f60a4b95120

SHA512
00fe7a2f8e7f62b707360fc886c643fa4640fb1f19e490a34dd085b35a345b55c221a0de0736fc72cc52709f311bf066673c5f411ea8c23f3c0c190e155ee8db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
9ce2198327f56dbc68630d7c37b33422

SHA1
434a17c36e9f7271664cb229de698c51736c1b43

SHA256
c23dc3390e85f30cdbb67385f07a301763cc774a2bd3f84d62162862ca0c5c64

SHA512
6712b4e237a51ba59fb77fe2bb3e3d3169e3dec426efdbadaba63f4646d6b34d51857fd73ef1435f1df98374f0e6973a65607663afc890d1da6557abc4b00e34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
5097e58bd2fa5fca4266fe90c1c86182

SHA1
dcaa46c46aaafa45994a2635564b619a9f7aab94

SHA256
8805697b7be5dc6435b79fcf1c8c1ac15db91388badacf89d997dbadfd42bc41

SHA512
abb1dacb18431a1eff36b9c2db50abfcf01fc23bbb80315121ac28c1073ada9a0b21b1af67138cfb2d2a7ba8766247a02ae840a006b850726c853c040398759a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3d6021fd49e13a1806776bc5ccb38796

SHA1
affdd28129fd96be07afb6507b2bfee546684699

SHA256
6c2b983fe9b7afd5526c773fd56372a027f603a3711033c8da9460e3f4438f6a

SHA512
be9693a51b168ac4f19fe1d6bb9685dfd7b6254da36363a7274b4da7851102244125921a269582ea5de53997bbd64f75f20183599736c8d3bbb31e3f524b464d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
edf7fc3193f2a02174222d052a6411d1

SHA1
9a042d78b178fda755a7844d45a0a1802683578d

SHA256
e8e72f58fd6fb07c7b5324f42d738bd9471d09f9b435aa15c269910a516e982d

SHA512
30816d7d3f6be975cb00aa019d6f8d8d68e4f229e377becadd35ce8b55e83a43802dfba098afc47e99e7949ab99f08e415cca5a5e1654cbb3b2b1e95f00e1331

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
75b71a8896da0db0cf947817d4c59c8f

SHA1
b3da0fca07ca2f22e90cdda6108851308d79218c

SHA256
61ac43efe80a45677529a7a16dcb86fa98cd3cdd57110aa05d448ff8646ef281

SHA512
1d428268b7e669a2f856111c143e8769a2ef659f494177f4702b812e2e274f7ee1a4a562ec920157e0676691054bce0baee601dd6761c1a318adf0b65638b67a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
83a427a4ef170e4b31fb45d5a0671ee9

SHA1
4e64e5f1b248b71616ade740142898deca3c2d6d

SHA256
8e0012192b7b7581d673f12b8b3782d29cddffc6af2937f1f133ff29bb51e7c8

SHA512
1ce31c64fe633d243c33d374df54c1093d014fe2f8ac59a40b0dac740da6edcb0ab83f0c9425a0a836659449471309f775dc1a99809d0520b527a58fd743b895

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
48ca83885feb3f1d208916ab2d6fa6b0

SHA1
9dec2444c85c395bc8393758b450a74f5fcda379

SHA256
8b1b3d60472f408b8c93982810f4c9c09da1fac115438c520521fb571c852ea8

SHA512
300a5b0012228894d93a8adaa4fb23a4b57c50d56987490f735ebb6d4150bf3f515f97dfce5ec3d8ce3fc16b28f7d1f416f0695c080aa77df67afa8acc630fe4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
79d4234d4bd37e33183f0a47d590bb95

SHA1
56fef1c199c9a9315d8e74b763ffa0bad64c513b

SHA256
6f604b892205099e1033322e8a8451cfaeb36be7317fd0239985e4849e46ef53

SHA512
3c5c3a7c4074e71fab919b04042dd1c2008c1f5f74d08a671aa73ef9dff49838f84c4fbaa78953150cde704022ed8f56e62447d9cd6d38c9b39b11620359b339

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d2140b7b6b8268780a2d27afe965bb89

SHA1
60e138f01d370a942c4a2d07eceb72cb46a9baf5

SHA256
fbaeb815177fe06fc8dd9c41d981d414ed2ddd22def0906d1b99556c60d221e2

SHA512
6b41fa1e9d03be3b0dc8fc9d0cc61374237bcddc2cf8a53c2d00b11238bbae01ee919ec5340b6716214ba988a116ed11bb2b426dacff0a3a5a7b9bc4626ac19d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
0535384cf33cded1dd1ed4198f09d68f

SHA1
f8e56e0f4368ae705480b5a59fff818a1be08392

SHA256
80e1415fdc0107f31d65950929e444b91aacd74cb9257cbbef8c41ca7f068b30

SHA512
2de849bf2f487f45158b80315ca0b15aefa994684efe20a0e6ceb60f858fb9651b96b8351ba0ec22d8d754949aad5ac0eefe57bcda8589155a32be2d998797a0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
f9cfefb21ef7864f0f0ef0a94e674b5a

SHA1
d4517db03d915c19d9d0c71c0f55c6cf256b7f01

SHA256
900fd9b22e4fa43e79e8674dd97fd2b0c7347ed88ea002339bcfbbf85781244b

SHA512
754e88e35b96c65d1c402012aa8e8db42cebc5112b1f90f98b96c0d961544162b67047a8ba627dfd3fefaad893910580cf74c9c5f16c4e08c4fcab98073df578

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
1e037c204900b827e672d2b91d244f5a

SHA1
50794ad875e95fefe2198e7d2179c4e8400cdf83

SHA256
f31f458d7cbd5e11e05fc1baa48bd93d0df94c99723ba9b72659cffca6c60b5f

SHA512
186ec3f73a089f4a94eec50fff2712857f35915c5c0afb64339e428250bbb7d4f986147fb9b5b499661762513267ed433aa51003be4006e15e7b230d1d39b740

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
dd18a2eb251ba10d91e134aca282c6c3

SHA1
131e44823e74b20f1ec5524f11e0f2626b3dd755

SHA256
a44c96d12de9ae2019e58225ff902f9db4fc18b5be30e8dddb921c782ec05476

SHA512
3344b50a87c57b1cf817b97f8807201db7ea52a7085c46c000b4ea9985a9a221e31b8770c23e7efd9d2ab6f372a949fa9112945b46daaa8ef43c25872d71e84b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
c5f99ed0708f0dcecdd0b57d7812f50b

SHA1
749dc5e8ba1e9c2c7dfe13c8d4928548c4b9c042

SHA256
02568e2f6bd508d5f703581567a99aa1311d0f2c554663b353b1503c990cc2a0

SHA512
27938972d28f7d255fc235818a70be8ef7276ddaa440a2464910c1d9ceb1bf085e5604b6026a7f507232fa2230b68b379db9bcf7dc677a9db59d0ec1126934b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
6c22512724b23a0f98ed64a4d685536c

SHA1
7582b6681f21ebb2615720807b26c15ec115ff08

SHA256
7222c433caf5a9ca4fe319cc02ae0b65410763a69d0da6c26fbacd1b3374fce3

SHA512
26ec556507b9b6b64e8aab3ea7329117409e5bfa44454067d0ccb2a62956da5bc97d7cf642b84aa36c7ae00d036305c99b83b0fa01f439d38aecb96412286d0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
c801c35170aa2f49fd8ad6db49ece485

SHA1
87d5569dbf62701705ff6500d1033efabcd18a20

SHA256
78d06e1686dd23b7242d699731a88901657ebe7acbed774ab382b1bd51c542be

SHA512
415bd1f59eb166ea640c0e3946d67d2d202367010144a0828c082b442b111497f8fbe417f07beeec3802436efc0ed7df433f63605f519ae823e9cebeabf056f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
d2c0fb312c09a50a7f714acac601cfc3

SHA1
0daa3e1f8389c338d499f163155088e25f2407be

SHA256
dd5c7c956b237471fe68f20b4a93d6d7fdcd849e3e7aff41018de4a1d9ae957e

SHA512
72564a80b6178bf0a7ce9c0c179b9d6b1923bc806c8c7e144e551c5caecd768270f25ac0c91d3ce9c660f57996927f95c2a4cd7696c6390bd5743253146f00c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
207bedfc4852e132362fb7aa8a067c16

SHA1
de3f639af403ac85ae57dc86fa25c395efc03b41

SHA256
45421694bc256da148d601587726eb52d67b66db5960962e4516b5bed94154ca

SHA512
6d526d2b11300d26938d4cc688f3a8d9299ea745ef5b042340ffbcab1a87148d37e68e26a579c64e08bfb62249eff257e66f5a5a830486546d6453981f8bbf80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
aa0571fbe659f9d22fe0956e38561e9c

SHA1
a7371402741769107059826fc98b52a2af9583e7

SHA256
d885c4a450d83bdfe056f3305add2905ffe88702c5b446bfe0113a17cb324f3b

SHA512
c3d05300804acfb3142611181413c14fae2db0b34f28e85fa94735e448b1782861311ac8123aef2d760fa4a8b970a9e784820c9021ad6b63dcb9ce80f43bda85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
66e0483861504db0cd5651b9cae43388

SHA1
b867115ebd4b20280bfbb542a45019da6a5a2b10

SHA256
49c7060a62339380e46a18e8272f4b4bc2486f5c88c95dfea4882e16aab81ff5

SHA512
45ecaa151b304baf948cace595a39de292a558466c6dd9191aea0a734d819ed22f8b9b2362430b52176654f90ee57cefb993d21c77243f837ad2b2da67dc6ca8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
115b0620aa30e7ff6eba3dad6753794d

SHA1
2eb0e056fd4c6332c9f5d74ad8d9b43ef7a211de

SHA256
5e206015bc025f57372fc257cd0dd4c676fc93cf9652efe5a680069778546cad

SHA512
21f41d1e5c3c8d47543481ed38cfd24352428b295980b35cbf72a69ee2bc822c486c2afbd245e042a52a693b9fea1817ba1ca62e867e91c0965eca29fb0c1c04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
ea35b1f09a7e5d34166938f3dacfdd72

SHA1
d81c6fbb78fd00eafe0070cea85247f16b85e233

SHA256
9550409438cbef7b220f75dce5c44554e65f9b7fd65fe0abcf7f97b9bd9fc046

SHA512
51f0f927299e8366654342be5434499e193c7684f5fbbea8d5cf49304ca2717b2bf61c7700edc3b6c709c09c8c76eb168b8387aae18f4851b3b77b314035d03a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
943f887060f5e8c6d0ca9ddfd0178e98

SHA1
b7e5580cf65865bd81f8d953eb15ec5094bc9b7b

SHA256
0db7a4641236a2e561072741c5c6cbe2141ee8846976d0af5276096d9d98123c

SHA512
109e8d3adacda575e7060ed18d8e996ac8b56a48c7f05004379f627ee4f49ee2c66541765e29500da89d7f78fade2f8859b59cf63b08711513fb2c9f09199448

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
fcbc92e09e7e649d88c47df32187b072

SHA1
77600ef56a6161590dc238801b0c8880fdfc987b

SHA256
f75524f28cb46fa53ea41441cb45c43a47882635072823376ff9a0f8cac3ef9b

SHA512
4a449b1066de29a66f3c51f33ef3551815c83b972237e462c426ca079e1b259d1eee72bebe7dd4353a6fa1c1f77fce665bf9265393e2f14ad26c35444a42a175

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
f9c0d6e397be8e3666d1390578b8e3f9

SHA1
1c314f8f766c118fb3613f64ef47d17b5e3b461a

SHA256
618e60bea83317f4053cb93cdceced5f17eec9a632e71ec4e8a7c7ed98ff425d

SHA512
f83af5f78c4d0ce6e19cba982df346a23e7d642e59d82d1e0a79a7408859dc79c9657818cc37b35c993cd243907b453a768a95a4d7248cbb4ec1a84d0be24be8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
d8d875dcab1b453625bfe40e330b1c7f

SHA1
c67e0e585d5ce6a0633c868f2485c22a6f535eb7

SHA256
227aae6ca18946f756b8fa18e16b705e8620f0842342b0ca0bde47a2af8a7919

SHA512
9c8820cbc538e12d64dad11c56497eaa561f59eb83c14ab1b1b6d0a703a3e66b82ce7c978880f9475196d423709b6e7d2532157753e05c23b9ad6d2726a1d9c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
ab76533ddd4fa4212b061d1e3b5b0f55

SHA1
530e5ba0335b216c4ba689fd0428d7777c417273

SHA256
b24f8721e144746fbd534b5e6b8e5e393a2d51541b1f79378184cf3fa1568910

SHA512
7872db33bd1f0d4ef5ee038c63763f47908cd807b4f5cf8aa6c15e5534aa651b37526a2601dc6d1b432874414585f9f024dc156deeae590b83490734c5c52d29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
3670a61e222da1c17e2d9acbdfaa47c2

SHA1
57d6b7c29ce2869a8e6131a43d97e4b1ccd57163

SHA256
ec2c9238e24e5bbff84633108dd1e9cdb09badf139e88f49f90ae824e36125af

SHA512
52edf8309961c31b6c3ee0476f38320868c9b1b9ef0d2e936d02fc1a344a0584a598f91545c6d6218bb76c69d4b8a262a7b486b24bb00d59dcabe5820fc59556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.5MB

MD5
35fb0b517475262fc5a165df0651b22d

SHA1
d72a28825943653ed2877b6fcc8a6512f841e560

SHA256
58e997917cc843cb4d48a9c27515c822c20c642c3c3fa4e981237f6bf6e4393e

SHA512
a719dfd5431ca6ef4b3e8cf1e0dbf0608ed50a4f73193c07fe2e45664dd6c5d6e4ff51476ba2f0966560c02d370ed47d63efe86388fa7fd33659bf53e6b8ef68

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
76c925b69dc0bb4a3cd9e78847b9e152

SHA1
ce35ee5343937f5d580c13f0c1e7bad57b0efc26

SHA256
5c3b500b286ef15c557131185137c8cce7443e8d4a91f03b2a0afa69cfc989cd

SHA512
cb6cadcd278baf18a77a237b9d802c554f8f75cc52cbd4c59651ee992dc349850254b444479ba45f43f4c43b5894931eee73227b5a01d99bc1c4a098f5ec212e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
63e9050401d0ccf50fe36733da0fc885

SHA1
a794a991fb84531814544fbae4c852d11eba6ca1

SHA256
1917b306211bacceb3ac7fb620245f8f86bf43d60d731f25b12a6750b56966aa

SHA512
37e0d265bf7f8ebeff91f8237e51af51b88f250703700b428dd2acd03ab352c9a4c5407b1d711187c23fdf950be534dded77e17e29bbc0105daee2fd10e722b8

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
3d42d3f5698fa464d69c483633491c9e

SHA1
7dfb4bd1f76bdc6ffedba524f4bf59c517d6c7c0

SHA256
0ff91211db4c135d78d5976980a0fb0a6f3bedf86d00d6f29ad4e4d9098ccc88

SHA512
b1e68bb1d2af9da23426d992a6d434465abdf25372d84652e1da9c93a8b7c26bd046fdd7de7fd63c578f33bdacab297cd38820e1c372dc13483b1856b3198a56

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
0e35944168782f321b7e7734bc549a2a

SHA1
1b33568d72e07b12508c08f272eea5c1bade5e4a

SHA256
7a053c8933d0d97a7c16ee2ef317b93a8497437b29fe7f35757ad529ce97f212

SHA512
19f8bc52452674444ee60c6428c53fa5d150a4d9becc31761ae10e8c634b4ae620b3284d99a424f7f5ef3c320875b4c56fa1dbd7837384fd17b443f827f102da

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
e0176fb97c8f35ca4ca10c7129ffb0c1

SHA1
1247e04ac4f2af15269849b3567c120ceaf72531

SHA256
db2c6262e84b6ff61a9d6c963884a39fe7cfed4de2375b8088d398782ed116c7

SHA512
e7604123351f2210e7aa3a3753e147c350a1b6573e42a2b5d3493f8554468d8fb6e7b9f881e8482eac41ec9e54f002430b2fa56bf0cf8880219f6df59dfa7e72

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
df199a2771fc224fae8e7646f34a486b

SHA1
6806f11b0afb5870cec18a0abd4a60fda42f4625

SHA256
6268270a0c3d062acd19692323548b7c48146faa4fff105f56416052acfca229

SHA512
df0a31d3dc16fe2aabc6b176a0a0a577c801f4946965eafcd6f8d855873828718dba563545c192da33b60b4dc5d954d797d56b49b13debefd1c75f8a16a0c5bd

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
a1025b28f98dda3c0eb92d2da696ca52

SHA1
5ac4d577d4317d89a111e186ec7953e8b84ee96b

SHA256
bb8b5b5551907e0c03e9357f2daccc886368a144947660069b262ce3221d2fbf

SHA512
06bd1b4133c7c62c0d9e05769a9a8761f9c458072fab1339d1e9491e7e74c9b19535dea509038e3e46f2c134c0a9a3b575e015dfd83cadc2bcfa28124e8985ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
b266df709d62752c6c85fc9bdb514b7e

SHA1
b225e23ba14b3408d16a6119973099cd6dbc2ff6

SHA256
f3df546c3f96bec40eaf1b97e826d8226f4ccad2a16298b4c0ee164dc2f34c5c

SHA512
342b0010d3a8fda7ce3a591079857175f2b21bd646c63eec6caad80955ceb697edb9fd25a0d260d50e1bdb98515d0e100a906d98f0c3e476ace5972da5b4eb3d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
48b67d32063f6806ee7ac83817dea353

SHA1
1f0a0a79bf04533322182b2c3608ca39074767fb

SHA256
c0a854631337a24a978540e818b8e8dbe6b09ff3e99b746d4b7cbbf93728333c

SHA512
02fe26e47fae04020e538cbe6f2ae949b8180e50a5730c2a4f800baded3ac387a66622a97749a840f2a83b6f3ab3443d93ae0eabdd5782afef788c8caf08bb23

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
16747fd9aaa100b67618cebbc9ce0844

SHA1
e70c4ecf88779da57567a6ea373ce941cb049dde

SHA256
7b1c1474dbe01c9ea1d343777ae10783ec6bb275fa74fd8629377a9739e078dd

SHA512
fee761bc2a1112140ab9324a85dd3b81974c23de3c8579044d98f6654d2ece83bc875e7412e22bf91a8583c303c8cbafb06b52793496260d44c6efd3e7d14eba

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f71e91416eb1ef8fd4cf65dcfcf4fb7c

SHA1
6a0eeeb5c326b0b9881b4e31063761c0bce4c0f6

SHA256
ccf6f2b7bf0d4327f0c2e8afa6b762e88b1212c69933f2191feafdb917d47468

SHA512
6a6ca2a2dbb2653288e6bd88f26efc35b3b3fd3a2d5d21e183dfe1369edd635df960fcf571bcd3caf7aa36522581ecbb76e62cf36abf43f87f3f64f21d4b6952

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
896a466eea567b692e3d1e47085dd238

SHA1
6664a6402c8c880d2023731661ecf047f3613f12

SHA256
33ecacd4d9e21695272042ef14b9b8a823bc8d5f0f4bca5c10ac15e66952bb3c

SHA512
1c06eee9b0781ca8cfe84cbd467fe66d71342532ec2b4cb5673126424a45313993ac2935810ea265378bfaec613a046f5214be4429322c7d21c5edc43f692259

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
ea97fa7a2ff05eda1ad36395eedc46e8

SHA1
9dcb18308c4fe0136a8d952bccb328f20ac7eeda

SHA256
ec791ce3b076b82befabc09a178ca1f1d7310235179b1d0f6a83151aa7486fab

SHA512
e7b3901b1559b35ab3cd3284d0832f946a5fdbefb6b32bbff969ca553a74d6645a647bcb61dfadf227a0c7b6d8f41ee230a5702c5e22fce29082d1983fb385e0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0ed69c64b5044fb2e81f4e0f9e7bae9f

SHA1
d17015358265671cd4ff341cb4c1ba11a3d9d6f1

SHA256
634f839bc4548988514de39f5c662ac21273bb5b4c3063bf6978727bd7bd1212

SHA512
533c55444e20852a4fffab41bed460eb2c6a9683470c278fcf4b3fdeca4ec5c35d6ac7f2d63a639d9ed9572b15d7ed32617afc96cf7db2e1accc4ee9de04e12f

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
69c874291d0477f763857930c9c3321c

SHA1
45b76bc0fbb6725ffb25954afc3b93782c88549e

SHA256
4302e582b2f63b3f409a2fcaf1940e3d5f490ee8c942f78def851227159a0f96

SHA512
45635469ab819bec3df8a83e1c4bb36448f2c7f5a4e2bfb3d1d8bf4a43347eb87b20aa3ceb9cf32679cc9f453a43c71619874b710d925cfb98f101a97113aafc

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
efa9e128b0fd0220f29f4012fef74460

SHA1
13527c53501fa31dc373f9c11a963d4a322e3d5f

SHA256
043bd6eae380b1481c9a0412dc96fb49a9125031f82be99d0649821a40cf579e

SHA512
967fb685d88cff08fa31367bfbf786db843de7f5da54760c854fb995a47125e67866f0275c91db35f1d93f86a68b02aeb4adffc074716932c5c6ead551b88910

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
e4e213cf5ab1741adc41c9d59b33d361

SHA1
14e4328437191ca07e176d6788a71b422032b6ce

SHA256
fb3b7af237c8b5739207de5b83e18d758b6c18a7b42529285a03836cf78e0334

SHA512
7e6b3d789eb33882253cd75d5a58087b0df49bf2369a774374d9850d4f05c313f5e62be3c6b9500490ff8e27d579784c3952c8c3a3d14e5b7b97165c23a6cfe4

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
31ec44df71e944f75e7290040ab38b18

SHA1
eb68370426095d61b2bede41129b60d14e5af3d7

SHA256
512f7f701659dbc9e160ca2e82a85525dcdd03549ded4e5fd9cf1cd4fcf2750a

SHA512
38f670406629d72feaf66e13f09ee50d360fdaac20be06e1098bc612118d6f2212d2f134bf31757a72a31873d06f2a9d5eb055c4208255497f461a754f39f2c8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
d84c7e8a690fd0b5136e46259728b0cb

SHA1
4508bb89784a635782b9d84d4ad1c52bf314a225

SHA256
d26165f56fbf1ce9d155cad283f41ecb8d65300a345ec1cfd538f8296ac58c8b

SHA512
f581454988c7bb9a76e85bd16e96776aa6ac3cd7bb4006a44d799b3e5b8afdcc389cf5bae3448a76bb9b01ae84b90b65a5faf625a584bf4e8ecaf3a83c381986

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
158d6613621658157b7571684467db2d

SHA1
20982278773202742d2cec21f09fe2081b15c748

SHA256
e07c28754fcc03b1f92e527d4c57b40533a0d2820c4e9f87b93f5a83aac4442e

SHA512
ab526db3b51190573aebd8e0a84f3478b88a7d3ce78840097a96edb8879cdae93c551ffd25fe3be50ed24f6278e66f37d64f7a63d9f9fbb036629e85b4fb24bc

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
624cb936ff3851ff7dd9f3bf41015ba8

SHA1
95dadd5b08fb0db6352bc69551c26b269ecb725b

SHA256
263ce55fb49c5d17dc8101e513829e73cb1cc45e4483bde78f7ab18bdd3bceb6

SHA512
d0e26347c7c3547823e30cbd71cbe95af44431b8146b0a50f2efa31954fcee047358e6afc22a43613c88045032e6274c4b72780eea12614d6f05bb9420965a89

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
1a976fa61289d1d38a48df3dfbed2db9

SHA1
8704e33ec442b9a31751449fe1a3baf32d6e8b3a

SHA256
a00ad29ea6e9f9e782c0a2065bc93bcf74412752c105d9fa51b809de16d4182a

SHA512
2f835fcbadff2d00ad6cfd324464951c68c5222fb2725f15480bd14139cb12fcd52cf73a11bc9fdb6302c80fa7e5f85f30feb0d1700ad8cfbbeb4fd196f0c72d

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
faec9072518ece2a9a61600c0d8ee4b9

SHA1
9b296cbe25ee0d6fba4755fc4c43891ed779edc6

SHA256
eab9f5af8c4c3d6b0bc29f9bf1003b10982cde599399e3a60c9b62ca454cbad1

SHA512
fecb17b55be04b05628d96a75f1f6ee4ce5acae91962ded3b6a260eb591f3c2c207f38eaf8bc62a4b349851889493528be91279477b0afc3a1dd3aa279611fde

Download Submit
memory/1584-83-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1584-196-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1584-98-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1584-102-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1608-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1608-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1676-223-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1676-578-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1684-267-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1684-836-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1864-285-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1864-176-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1932-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1932-696-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1932-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2252-21-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2252-18-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2252-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2252-184-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2352-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2352-679-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2452-838-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2452-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2844-151-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2844-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2844-149-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2844-153-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2844-155-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2856-197-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3424-329-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3424-842-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3456-837-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3456-286-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3504-185-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3504-297-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3732-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3732-112-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3732-129-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3732-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3732-106-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3912-839-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3912-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4220-764-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4220-256-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4504-843-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4504-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4604-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4604-116-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4604-122-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4604-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4824-158-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4824-159-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4824-270-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4900-320-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4900-208-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4916-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4916-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4916-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4916-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-8-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/5116-0-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/5116-7-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5116-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5116-511-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download