72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
Size

1.8MB
MD5

31cc403a438f76e438297efdfb795169
SHA1

51e997030c4af45a97f60c9b2a0d7fb280b0fc79
SHA256

72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6
SHA512

e74956f518ac94d590a74247ad83edc28eb936ea937f5f8ecc15182033b3a32d8e905ed358e235807ef41274793fe4403382c5d4e0b0a06e71dae94170da3ca4
SSDEEP

49152:7x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAxgFIDRRAubt5M:7vbjVkjjCAzJnUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3516	alg.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
740	fxssvc.exe
2104	elevation_service.exe
556	elevation_service.exe
3200	maintenanceservice.exe
1084	msdtc.exe
5000	OSE.EXE
4424	PerceptionSimulationService.exe
2040	perfhost.exe
3032	locator.exe
4256	SensorDataService.exe
1040	snmptrap.exe
904	spectrum.exe
1032	ssh-agent.exe
4576	TieringEngineService.exe
4628	AgentService.exe
3492	vds.exe
2912	vssvc.exe
4048	wbengine.exe
4524	WmiApSrv.exe
440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eee821b1d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\System32\vds.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\locator.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM758E.tmp\GoogleCrashHandler.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM758E.tmp\goopdateres_fr.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM758E.tmp\goopdateres_hu.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM758E.tmp\goopdateres_th.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM758E.tmp\goopdateres_da.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM758E.tmp\goopdateres_ko.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM758E.tmp\goopdateres_bn.dll	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6617d16829cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079ec6716829cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2921619829cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002090d19829cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007421a418829cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b28a6516829cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1192	72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
Token: SeAuditPrivilege	740	fxssvc.exe
Token: SeRestorePrivilege	4576	TieringEngineService.exe
Token: SeManageVolumePrivilege	4576	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4628	AgentService.exe
Token: SeBackupPrivilege	2912	vssvc.exe
Token: SeRestorePrivilege	2912	vssvc.exe
Token: SeAuditPrivilege	2912	vssvc.exe
Token: SeBackupPrivilege	4048	wbengine.exe
Token: SeRestorePrivilege	4048	wbengine.exe
Token: SeSecurityPrivilege	4048	wbengine.exe
Token: 33	440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	4108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 3916	440	SearchIndexer.exe	113
PID 440 wrote to memory of 3916	440	SearchIndexer.exe	113
PID 440 wrote to memory of 4812	440	SearchIndexer.exe	114
PID 440 wrote to memory of 4812	440	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe
"C:\Users\Admin\AppData\Local\Temp\72ab6e88ac2afcd5391d131210abdb7f82888e24aaaa4f47440ec8207d4d0ac6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4256

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:904

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3916
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9532209d221fc9ddd8f49f5e78cd35d6

SHA1
30dbaff11daa0f047ddcd826f93cca345ed71c8e

SHA256
39c69f67790d0c0bcc7781063fc2cc3e4e643e2d17aa885818f774d3df485558

SHA512
15c4c3d5af89019a8ba4bfbf81165c2a30769244f312eceb2d904b60053bf2f2b89f6d6ea904dcc315004b34a193c0aaeee1e337c2aef94d0ae3d2bba28982fc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
3f41f494f34769b3d18d30ef63c6c285

SHA1
8a54c4fb86f98dca597b1ce9cc82ba3fda4289d8

SHA256
5bd53b84b2be1bbd7b603832127163dec52f20a39b2141a95cbd25ffe95f4aae

SHA512
36b15716a955aea507d29275f5a79bb6bbdfc6b7014091a0c66406dc6d76173d3df6a7734f7fe81ea5bf7e0c6107eb005b363ec49386557d17a042693d68b6d5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
9129553a13f0eb182e424deff02e6797

SHA1
3977b27afa50fd6f025d5057a026bb58ea315c22

SHA256
1aac5ae7bd3abf9e302776c6945ec439d4bc5c386e8f7f175043ca89fa6f15e4

SHA512
0faaa3670f1245b601e7016ecb23e1c890d2c60084674191729f7c6c64bb27d90f74790050f801e7ebf2c9e2afe1e86916dba91a2b263182646dc7f0aa8e6d99

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
63f2394b211b9ff6d3d37210be11ce6b

SHA1
e4cf9d151e62f1129fed32a6cd9ebc9aeca05334

SHA256
4358ca8c33c403328440e7e44b48285c65e782c49555e70520637513380a50e5

SHA512
5cb42a490fe61c5b948b1ae027469b5c5154bc9a77eab8460e178003b9c75a8e7928e6301e92009a0d0ba1e6ac7765b3fda2a4815328ee93589c9baecd79fb8d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f22e7fcf3119b16a364e462b35496aac

SHA1
94eefbfb8e577a817c537ee996b470092402a730

SHA256
431906975699ac23ed43b1c3a467f6b440782610bb550eb4a1edb62fbe19f5ff

SHA512
84cbc3389f8aa50efe88b6cb3ac48f37ee0869e4a5e6999064b8ae96e43f579e2fcc07c28bddf53676c619cbfb556709056417a42ac6f2d01ce5d64671998481

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
73b000367c047f093aedbf616d074f1b

SHA1
748de643bc3cbb7f06f0bcbbb6386cf6649518f0

SHA256
23be3718579d870cd93d2e075d898502937bb508069bd2a4b8d150179b877edd

SHA512
8daa2cd73dd3f3fc3e7c6682eed018300fe138d1b542c7b5b6086b6fd781d427a98318a29ca121654b190c5a7e2adcd33904f821eaa36054c7c9eda06752f12e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4a7d4b00702160a33d4c697a3d5e1711

SHA1
3a5335d0217f7d137ccc5829bdbabc43bf60f857

SHA256
7c2525b3b87828d29146b16f96dc4aea99119f5ac5e44f1d8699b6938aff2e57

SHA512
330f2baca880c97750a11fad9510a75215dcfa290188fe4c09fc07c2d6741080cccf6b85479382735ae5a810a2b16b1e2dd6f41e6760420b318707035d2e1b65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
578c05e7606f2fdd044d950d0e9d23c6

SHA1
068b13a6e2c18e0531c9db3be4c95fa7ca1d10c1

SHA256
0ce08d668110264cd9c53f0c98e4b29d7637f80a15c71f1aeecb6d7dc7cac252

SHA512
5759b78ae4b7a5bd171abc42bccee82aaf1b76422160112d49952cbf01a1213a28e7583cb5500ff8a0d09e41459e1121d0594a3ea82c2dacc23dad16116ceb64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
8f0adde12a6276400d70ce290d724abf

SHA1
326f781d14524683ab085db9dc0a525f30407cf9

SHA256
32978d84803f3084fc133cce830eb54bb9793454dea6c43f292d1e2c58a19651

SHA512
98012c386d2948bc66e5cac14e64ee26728ef736981070b2305f384cb4c49be7a2cded3441d6b859988ed9070c74319322315b7f2cd59217232d2378af5f59a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
87b30e3aa83d9bf3c31c917501d7a0a5

SHA1
d8ddfe62d7f00a5cd9e5acfa6d7c97680262fef8

SHA256
e95bbe578d279803cdc6f987e16228bdabeb284e09166d9f56745482bf33285a

SHA512
530c3c1b2715259e1beeb3e5caf9421cd80adac822390d848bb00d7c208b3954203e518b49e415a2a7e1d5c6c31b52526d799eb5429ac4eea24ddf90e49e8dff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2543977328e4951e4893d1a0a910660a

SHA1
0c5ef0dd95afc11cec588f01cf56dd9778e376eb

SHA256
8b10c3f4abcf4df603332d08ae8040c54f0a5d49be7edb4be305266c98b60855

SHA512
dbfb301bcdc1a4589c878d9e313f5427193ada0c5ccb4f562605abb9c971737c11abf4087fbb025de5665e37830cc8c55ee6efd2530bcae60a59e3f91f683624

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eba09193ae4ea44ce0efbfedec10527b

SHA1
fa1cdae06f0f5e70fe7d7dc599a9a56dab842f75

SHA256
eb7f23b96b77e521f348419e142fb93611d2c48886a130ed229e1a17571f1d25

SHA512
4e568d682d29a7722c2deee403ebbf3b8df091b96fc0258a5215bbb41f1400639ab60ecd6ffdaeab8090881e6dfaf5a0aaa04cb7b99485f2af32336b55d07a5d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
911ba6f0b8d3f4770d2c05580b4ff4de

SHA1
14955ee52664856dd4e6b1eac4d9268fe5166e2b

SHA256
fa7d06e5ccc788223073525e35f93aac1ec8eaa7090f136a6cd773aad3055653

SHA512
2dae8b3dce916dddcd8c7fadfe87d1994fa0fa2434cbeb75ef671cf3d66753eb67278723d5856cb4b35a4c688428b94f32101e2c9e8a75af7ac9c3ec7684bcea

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a363855e9ace98fe969461a3c2cc124d

SHA1
c79ba0ba72f6b132c14a15b8e5658c2a01f62e84

SHA256
9f4676b03739d3b9ca180cc36e1e1d476192c270c2318379cdccaa3f5aae6e35

SHA512
67ffedd8642d7dcd6fe4306c7059dfa9a9bcc469b32ca2cb4105c29d9c4279484076284c2e3bdc928f24c58ef1a63d3b0debc01623d39c5a9ba673ccca619377

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
518d5532ce26b4f47ce649c42418632b

SHA1
fd36aa2318092c91fcb8add3c2481714c0be5fcf

SHA256
d84c8f066c7448608e65144c693c133d1ded4eab345988dfdde7a43f88ceba8d

SHA512
d55257ef782e4964670e912faa19722076419a0b905f85211447c8e2e9540a3f6bbc875acdc54dff2ed069adbeb58c552b10c8ef464c99296a94756d284b8cb3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c5a3614e6dd91adfc9a5f7dfd9feae1c

SHA1
5b9202099fcb91d4abb864919f3d5b0e7c9e4367

SHA256
01c5ea9273c32efcb06800de345ac20fcaad932095334f92247d804cc76db599

SHA512
1543311135327686d579258b04c382f83e8cf3d8b5e8bb24fbd310128fa7dd099ac21d6988fbce106a57a807271086eb0b763376d6a5a8c9334d131993288822

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fc9ba95786b4c30988fc0ceecbb35d22

SHA1
0e945c33fa55e3cd41b5b0cbd623d5429e41ea53

SHA256
92fba9e5e3cd44b3c6509befb4c77ee9f41982f5066eacea2760e10dc587d0f5

SHA512
d24ebfe0bd4d740e6b2e92a3e6d1b178ee548589629dfb91d24febff70c3fc53a50ac9f086fef8f5b9f618a886082ab5dbbfae9d2b796ed86b32e7fe42e0fab8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4f5f9ba312c3c54f404489462fa1f81d

SHA1
de631379f54641a28eb8073d1d40bd0b80c41c1b

SHA256
487c225dc0239a5ab5deeb9a4b4a56a1801f03af7afbd7075647cbc65b1de38e

SHA512
74075f1c3ec25c90295c0e3264b25947e000a6f2d6fdeff522aed596f6d0d669e861598987475aea9821fdcec22d08622ae7f8a3ac6724dc5363f3e712dbfca2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
59cd63357425b14675ad99323fcff1bb

SHA1
4fc8b75c495ecb80dd18fd2ec3c5138adcb9d1b8

SHA256
e8cf357d524d8b8a661ce828a819171df878cf66abd0b56c2d15d1db0f045bba

SHA512
cd04c4bdc9d853ff9a2dbdbdc66c1442f8c2b2d6be514c11b59c9295cafecf222dba7b7e37d35b5fcb7188db1e249c00f2c095060d06b54a57920092a50adba9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6a035d03771401beb44b43f8ffa1067e

SHA1
a4bd73eb904d9ff7b9551fd980fdbaa05eac9c24

SHA256
5e1269992c32c2b7e2de3ed6a0351b8ebadacc11900a72be825febf842b82e1d

SHA512
c009afdcd33704e0463eb77fd614ecf7cadb226a265e904e8bb1e52ba9af79cd0b15f55aac578f5118a090e401bedc43db37bb1f24cc0c8543b8a13158f5fd59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
d66db3229d7a8d463649cda738f1759c

SHA1
394f5024078d55436c06c40f32befb809d8fb821

SHA256
973b06224944b00b92d69cbfc1f1e4eb10518c124db98bf6d1b9123b98f962d9

SHA512
15444eb2842c84bfba04c11e4a545b6c73ddec6cdeda3a8545dd2218e8953562f425dcfc0f84ece9edf946291ac879692b5de5b67d842ff936eaacc02365e587

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
9851acddcee36e11ac4c0bf5f4de0d85

SHA1
d2bf1c6b3d027f93a6c9cb4aa68f7c21a1e451f0

SHA256
67b90329e7396a6a952f380f66f6304bccd59a99c8ebbfcbceb0407e2b45bad1

SHA512
dcadf3ec8b5551fc68fe3df4288980ebc80a9b78d7f8005a31891e4e78ed73518eaa62b72a346d7d5ecaf60989332cb658b01adf061a0865bfcd38025cea4c29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
eba68c7ff33adc7a97103fee8ef100ce

SHA1
b7c0a0de5168c1e3a601445c41666178e698d592

SHA256
795163a813f51af3fd2964048331233be336ecbddffcec399497015ab4922a0b

SHA512
db345b7ee7d57c7e5901cb8a44854fecd24e5c23592ae650373c38e087994d1b16d16f89223bc0fdf960faa8c5a8865741fc171eaebfa04eb4e53add28fb7ba2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
4e932cf2b94f8d12563f63adb210d175

SHA1
e4defb97bf6a9b4b05e5da5b002ba5bdd4ce84ca

SHA256
1c56c3fdc32b250bb84eeb97d6cf1fa20f86291703120564920881718aa305ab

SHA512
bee0c8b6c1bb778f96f3e22555a927f2321e02f82aa739e1bfc949fcb104848e136db91c299f6ccdbacd18dddba9bf76577808319ed764443c080b9aee3e74c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
de42bc6d2c3f46cc5a0edf47ffe06465

SHA1
14c0f579af278dbb7a1d84bb50a812513b569e41

SHA256
a1862699ec710ee5944ef7728f7e28acb16b6fb0164061df285a2a833de55cf5

SHA512
b76df5404a1fa3e5ab3c56e8b1a36001c8894c3b56cbd4267f8071a29fc7450767bb916759e5175f8fd05c342be038bae39668d4a159157b83ada77fa2077b44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
737d9c80979f05ce0b8117df5aea13d0

SHA1
f04c566d57a43d61874fc42df96b8779b35957d0

SHA256
8c843356ecf4261aca796d2747a7951e1e8ebdbc7d6be7eb5d2083edea4bb8dd

SHA512
a0092a3669c5fb65bdc928828f0ff54be782909241152053eaef47c8e74ab000fdebcd008ccd6a8932ad10aab3a0aceaf9aefa6328aacf185baeacd3a576f82b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
d69f40d910f96a835f9cd20d508ea7a7

SHA1
7569feba852b42eab97caebe4943c77c331b65cf

SHA256
66499728abc4aaefb89d2c8781c9095cf9448aad9e08ce558d4b533d94a3c8ab

SHA512
1eff783d126d385351dd63541565669af901653210bd767357f816eca48b81ce4afeb3f3eefa098ee30f0014888e94c6708f8e9c761bbade9572acae8a1fbfde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
cbc932f161e0934a8d4176c2ded383d4

SHA1
24958ff231953a61657688b9a33d05627905074d

SHA256
2d78960dc7a82ea1e4280b27a948f3f4eea824e1a19d4768473de495d3a52e22

SHA512
d6c1a60e23e8115ddbddcf37ae4d96141c33d087bbfb95a3d33e018ea47eb274421032d1ab4566d90b9f80a8706b553f5d7e1bf4a35153a90c1b9ef0feabd258

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
3692b20c1c692a266323b7f8f3a41130

SHA1
1a53ccdc2defc2c61e51b993986997d9b239fd0d

SHA256
3e5f640ba059837c7af4455e848ec1a65737d71d8ab4ae01dffafff77816c708

SHA512
66d1bba4c5ea19c3ef419a57e78df7a7b984070689671ea82cd1b8c016f044033908900e9d2ee850594ae28fcb2e789f96b26909ca95d9d819019a04438337f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
f3d28860fc0e87e21ec4fd03b2fe17c1

SHA1
4df574576007e401e84cf4a014d3ba983f445548

SHA256
562d0a921c5803f8779e9973b825d01fb4c41eeae63ecc973388b8006399f067

SHA512
fa47aa9bde4d63b00a8168264e485fc5667e251c9b9c035007327d5bb2b6444035576e9436dd88c94e2238f44182d0ea84ce1745183e1234a6d09955ba7df662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
4c045cecc2f4003f7449d1143c397e28

SHA1
87554726876a779da211814575ae8838303c1f01

SHA256
9acb451e29bc468eb233ab6e943b25f6afb8a8911d214695d3aed8c3d25cc0e9

SHA512
8fde92528f7c42de1c0c6c702eb1d7f0d025758680259772fdf7cf54afb78ab4d8d01b9aac451602332e4b6ca484f8a9558f5e6a83b60ebecea5ed9867918d06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
4b0c66114b270b782c7fc4a578cc276c

SHA1
d5bb472d3de60cd2a746b002b2db59a8a595715f

SHA256
32a9e8c0cd6abcde055d66bbb4ec25896175c5c3158b04a3e504e21cd40bc6de

SHA512
33d7d56dde65cba91c00b99b3d07d7ed9c74be955347a702b97e3963002a93c12755f60f4fe25800af4239be42f4d31774d8d5ff153d86ee7a26a2620d5d70a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
dde8b98478e8edc062d80c133e0d37c2

SHA1
50721e9c3db0a41ebc4a691c6c66ccf8107fa66d

SHA256
08c0e5a26013c31c8463c2b7f68298096f15e0a09b0867d1149e9659f62b64c3

SHA512
53bacaa613e7c81c296dc39cd4dad5a1863c0c3fc93118dac9746f3807857d8f501f3ef1771a5ae0e4423b53d7448289af50db7fd3839526fc1b77421fb2bd4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
ea3b889098b6ed1b7f49d54b51c38476

SHA1
4a815f3b1248cc2b555837c8e9527f5130a50955

SHA256
0592f192afef69b5a695c4b21438c1a2487221eb42c63c9d9a686cdf6e23e29e

SHA512
abdbe161d502feb4b5320b1a565da06f5f92a5448d57b35c6c025a5da734da6ebf46003e7ae8bd8b9e1652ef63e95548d5322111f64fdcbe573cb0fb37ec5ca4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
cc916a785c479b75f5c5dee1a96946e2

SHA1
740b2c69c6068e295c785e9af483f1f1d4a13d7e

SHA256
bfc5895fbab52b67b3cb6addd258094db7494f2ce4580b6969590f4b7238bac7

SHA512
d5c6a36a0fefa118598583eaebcf4566dbbcf9324677ae6937c8638e5635730374a4593701e1f322ea6fa54604265a794ca1acc7e20d8cb92e666b7dada41ee3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
f4e7ba33b57f36626bbc5fa67557b892

SHA1
da1570d6743128b6f574c9f50b87a956a5e1228d

SHA256
ad7c1b2e4005702454f7790e66e554993c70ba90cb53265c9ec158ad445e4ea8

SHA512
8961c6e1e75df86f5be643b1f456e67563bca86cd0d650e0fd0825d2678f03d63f8041c361c5417f41dc204ed6d56e62ee922018665d504ce31afe1f92436dc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
88cebd0ba277cf5902069771ca993ff0

SHA1
67273469e1fce74e404844fdb6ac7f72cf727201

SHA256
deb01deb054620b4ee8341166d5ade55560548a072997883ab706bb399761302

SHA512
d9ab4a5be2c08a2b7ba64f4cf432711072515689865620f21b48ba732cccc774ead4d1c3c70207bf4a58e59429f71dc061ff1a1fc3a9fe53aa7cbcdcdd29f3fa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fafe23e42fd035183cf8741d4678fa65

SHA1
f5330ab7ef73b7d6e6b3bef4b43d10526c864d5c

SHA256
ee714ef4574be3b313487904a74c9159ebb320160d61493eff35aea1e000745f

SHA512
bd5c7a7613fe1c5858a829000ae9316d11a216c6f9e57d8b9add9c5148b8c7270fef406a2add4f162912caa7d29ab4d6cfd5059d56f36be87ac1e2d0e2732b9b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
ec3d7bf53019a8071e2666f3b120e939

SHA1
05f565e84dc982e4c683eb7978df6b1bdd8fb8fa

SHA256
6efab133c23de3f4d121e7d403ab183a84d3865b628c53a87f51a67d613e513b

SHA512
092f251a812d0eb180042eec9407d970856fbc5e1eab11c3cf8eb9dffca9cf12a160c0bd3e195a62eab9d7d2f779ce3cca794b78da7d432725e6eb1c0193eb1c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
41564194ea37fda1fd0906b02a836fbc

SHA1
bb6346c51483a526ff4190e130481ede4b74e718

SHA256
3eed38cced56c93c7c6db0745ab6af4a6bf6e52ba2ca37e125fddf804474f71f

SHA512
a94ff5fe0905f504a7b9419b6a285116db3fe62f367d08cc64f31c7c03c61f177f2dfe96f744ce84fb4d49c3f188f2604a712224662e496efb5ae6a080cafde9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
62ce1edc2d1753a5c2a383d19253b1cb

SHA1
ffd3e7768c750a7237f23ef51906fde57d758aa5

SHA256
b8d1e24825d6e383944a20724c746a786b0e1131e5e7061dd5930caa4b76522e

SHA512
49cda24e0ac8ae99e2aae2c83a3117b7f10cdf20cf3cf8f7a899c8970f2854c78eda0cea7e81e8e3bd8dc46ec044e47e82af3d3569d78e4c751b3dd3063a8510

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4a19e20572f12f03ceac422c25e06d9b

SHA1
a3bd16c88fb17d2c06220e386ca58bfc17280c4c

SHA256
a392d1bb74039a3ee7319375535a28bb822f26902cfb27019de6753507333a02

SHA512
0a7896822638eea686fe8684c9da29ffb779a283b5017b09a4cbaf782eff3e6e0727ad02f52490d1e633888b1602ab36828e5fb192a3614ca2dd1a4e4ae47049

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
30292e03d4f6ecfac284b42f9b1d31a3

SHA1
152806ac9307b1b436b199ba3938114282db7f8e

SHA256
efe6aa28dd06ec82f01aa5e1fbf8e3909e24105c1f6eb072c9c2270082942b14

SHA512
2860d1f45783e08196e4a18976aa529dbd2a240a185296ee901190246f8177361f71e2b8c463e2f4f15fbedd770c1ce001351122dbea82d0c074bd5fea3d2c9b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
5ed55b27e65744fd33a515abc582791c

SHA1
05d6739c253264c01de3c755441f8765cb2cb118

SHA256
58c301c4e85680bd8ccd28e260110f7aef56cad7a17dfa7e73b14924884e855d

SHA512
22bdfe8c8d6b2582e40cfb3fe5b6d7fc1827456054527bae4d0f6a0f565239b8afed42cdb70da301686fb3c4d390c21a1e1cf5ccabe0ef19193bb601b7fad255

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
57fb6a12103ce2a262b2b1674de19730

SHA1
453c4771ddcc71352a85138d580db021ffb70ddf

SHA256
c44614df0e61c91935592017f8e055a57dc588d628db7c33b366e345d381a194

SHA512
0f15abf1dc3fe75cd0ff6116a15457abdf94db247c398dbe2f0c3d4ed30dbf6ca349bf137a944eff3abf41ba054e2bda82bc172d9ac19d28c0c3bfc589b5cff8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ac52a3c12dcfcd14fd952c49eed5d372

SHA1
cbb20e13b1988bf30537e89751db3a019bce1d40

SHA256
b988e842d83d7cfc716d4949465ed89a4c4d6f53c9ce971786c10e671bb36f87

SHA512
5ec7ab98f763624d4d33d18630957d95e8401f0d89169533cb6d37a530a668f8f3c40af274ca664b7f4a0498974468c569546e48344b2c82f667918d503c87d8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7a4441d07a15a8bd52e2ec939a235a73

SHA1
65a16c2ca543b0bc1ae25126bca04ae8ba6ef78a

SHA256
b52bbea9e9736be07cc7960f6cd9641832fa8ff6fbe5988726d3994915044e86

SHA512
883c186371f6aa0b4f37af3396a95f9a45302a5d9d3a56b5202bbae28722e0b72496e7452bd184918e2a539e486cb36abbe2ac695aab4614f9642f46f99a95c9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
31e4cd4939311cb35c89e98df43a6621

SHA1
0ad7001e114f92a41cf2a09bd7642d3883651779

SHA256
3a8f02aeaec28f33dcaedded0c93cdb93e1278d0ae42c3de7aacf043612135aa

SHA512
7fa8a540b3b0d4641f2223bd7c4ddfc09f903eacdc69d36c9c30aa38b0b94156ac2441985034ca6911b80f1365a393e7f7fc43568ff4e4524d0ca0792500dc07

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7731aa9f6e2522d65841a1621104a78e

SHA1
0c49a5a1b9fa27065794f75601ba33edd59192fb

SHA256
4785d915e05107b8d1ec97996ab8a0b7e9e38de9b7ee4b48d4bcd76c01968a25

SHA512
f4c669d08056f0d70c03a80ba76f2f3a2ef3f32aa2b9fd30aa11bba7163a8c8ee0254aafd3e10c27a06bfb6bb7cf7b0c5a47394507061e05842e62643a3ac229

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
fd53f615930171a8f3389f6e804a2dea

SHA1
950a372cac486bf1c23e851aeda0fa92acd4e04b

SHA256
f5c784f1bf7a8065be4d736c31308ded954ca7e5d14cb690992ace47fda2de3b

SHA512
17b80926e65c4f8725f592e66f28b0b087fd8717047aeba8390dbd569cf92909f99e9c73c506c62a651b60ce52245f12a193cd2544e179172df92771f937bf8b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b98a83040af37e402d0630c27607da1e

SHA1
acd969e341675df2f4489d55b14bf8d60ed884f6

SHA256
d30bd683f3434db0657503a674217154046a8af1b4cb12ef00cb5bbe585b286e

SHA512
b4db7b3ec76468c3460426df92739eda3f0859ff1a8dbf122085982f2c20d5856308e9485cf7c6dd87b31294b567843c29082aebbb3b14928f2cf441eaad48f2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
04153c393e7b1987a59814e9f67fe3d4

SHA1
93dfb4cae3c447eeeb9016693659e46e039a90b8

SHA256
afe946fc5d018319a38b7c9e9506b02513b9ee4691d7dd618a57027242f6c92e

SHA512
56fb0064d2714b5cc7b2a08380659170cc51de9e3de312b170301271403aac46014fa424efb6f476169d5bd9cd1ff790e6de9b6ea29998fdfd2d208d9a9e525a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
96362da900afc628d021588a08e60a5a

SHA1
c91b79948030e671387605a362c7f8e5f5961adc

SHA256
ede814e826116aea16c4838e5554ea69244722baa86b0a812bccd319d5018e32

SHA512
4f06145c65c842d7a6819c78968251d46a4a23ee9344bcd0382a79a2aed609e900fc9b19b66f776b55937770f47e59d94d23cb475f2871e618fa1ce557b1748f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
f89799dd37b705b1c26b4aa06b7fc7e2

SHA1
93609fce557e09fceaf4de8b8f1e3923cc64797e

SHA256
f3a0545e2316586a4db0b74ae4b6b591dc7001a5aaa07b70f672c0b9b2a709be

SHA512
b209704a9aea7b6ce88395ac4d445d9567f8d16aee90e486dad166174e9688f79fd7cf7f67e6cef26a4361224c9cb38fc909a5e4d502d42ebdbcc68c19469c51

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
655e78a378670e0a5dd870be49748c09

SHA1
5481e5e65fad6d120f662c7e1ecf9463005b3768

SHA256
070df61a51a1e1b07ddc7d9aca9d1e62836942752dbd062f7e0904e84a029038

SHA512
ec021466bbe302d28d2ce2d9ab6b96915a737d13f91d71aaad0bf100e40a3de9daf1fead10bbeba0f7266f9dda29275d5ef1c91da56a18c1609d9f9607574acd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2f4ea0501fefc9c5edf09f8f14ab1100

SHA1
dc2c586c004cc63f5192b3610d210c94ad70e14f

SHA256
6beebc5ddf35fa0ae0702e61cca9252387e86bd4d6c7f43bf49cd7a84a36c58a

SHA512
a667e7eae511b3af887112058c8235d535b8513fe4177ac9468a42da2bbb79f1fe80092601e4b04eae1685784a2e00b478b8c4598373e43381c02237eb5f68bd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ef0dc50ef13d77d060c34c7cfd907ecc

SHA1
c406da4968f2f07ad8260a614c6c217b4cf1b735

SHA256
1bdb8374bb3f847d2017bad8573f6d65d4244b5de6cbdd3ac867dfa08a20e9c4

SHA512
6b91d9a387bbec9be7ce4db245fd17c85e7b895d6fe9459f109cb202fefe4cd7c6ba26d27232fb84ad2d6a25ea32a04ea24ddd10f86e33f5614f785615cdbebb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a6ea75bb10a96367a7abace35f44aff3

SHA1
2f16318f66fd21d86bce8f273ecf94c6631afe7b

SHA256
51974d9a34a21730334362c4fe1b8bd9271fbcba170f7b011212102d2921a23f

SHA512
8b3bdda20a913c88f8ab8207f81be84ce78b57d7679b587cbaee82b65e093093519d9e87aa6213e645df035e1d5377c15c01d7ff38969c1e80c6aa9d655f316c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5e2007c9cec9ab60f74d48e76e84ae46

SHA1
590514e6285a4374cf7ed8f62cd984b41adae004

SHA256
40dbf37c17ddd8f3ba88792d2f079189fd89ca3302e2d15d662e1b2d81f03a17

SHA512
c0f87b9ff1af6dceec86b062f657b4b445f27afed9a16a722d93ea7c13acd1b2670945468478d2c70266b6548caa385bac77d1b4823fb270f92d6860321c4d47

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
13992fcfdb521978de81363e04144068

SHA1
f0633bf6782cdbf932c839b8678f7c3d488f934b

SHA256
41a38faa983596af39acb0a9855eff72f6d2d842b68e0fcd89a753662bca6af9

SHA512
28c650ce85d6a249df3770cb2fc6cf03d1e3885ae895ee748fda9836627bea8f1a04b426e96ecdbe9d58a13335a5247eaeb20e1a890b672bea80f8fcb4211063

Download Submit
memory/440-766-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/440-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/556-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/556-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/556-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/556-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/740-106-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/740-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/740-112-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/740-114-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/740-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/904-752-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/904-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1032-758-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1032-262-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1040-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1040-530-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1084-156-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1084-166-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1192-6-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1192-542-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1192-176-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1192-1-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1192-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2040-203-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/2040-322-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/2104-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2104-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2104-119-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2104-126-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2912-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2912-761-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3032-215-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/3200-149-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3200-141-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3200-152-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3200-154-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3200-147-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3492-299-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3492-760-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3516-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3516-56-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3516-54-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3516-201-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/4048-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4048-764-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4108-93-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4108-99-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4108-213-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4108-100-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4256-757-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4256-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4256-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4424-183-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/4424-302-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/4524-765-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4524-326-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4576-265-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/4576-759-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/4628-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4628-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5000-177-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/5000-290-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download