f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
Size

1.8MB
MD5

ccd33a293aa704e943e8820075516f51
SHA1

8324906555db717e74724429e4da6c6e0e8638bd
SHA256

f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d
SHA512

0a393a2fa5d61d05932197811a374ca53adc6ec17c8786830d6ee910b2b91a3f0e51e26062b926d17ed4be8764739dca6256db28c736cb572eccecb7920e4b1d
SSDEEP

49152:iKJ0WR7AFPyyiSruXKpk3WFDL9zxnSCkQ/qoLEw:iKlBAFPydSS6W6X9lnPqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4004	alg.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
4116	fxssvc.exe
216	elevation_service.exe
1812	elevation_service.exe
1920	maintenanceservice.exe
4992	msdtc.exe
5044	OSE.EXE
3344	PerceptionSimulationService.exe
1960	perfhost.exe
1392	locator.exe
1128	SensorDataService.exe
3148	snmptrap.exe
2944	spectrum.exe
4040	ssh-agent.exe
5064	TieringEngineService.exe
4384	AgentService.exe
1516	vds.exe
3244	vssvc.exe
1476	wbengine.exe
5068	WmiApSrv.exe
3720	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\42f949b7293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\GoogleCrashHandler.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\GoogleUpdateOnDemand.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\goopdateres_ca.dll	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\goopdateres_fr.dll	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\goopdateres_fil.dll	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\goopdateres_pt-PT.dll	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\goopdateres_ta.dll	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\GoogleCrashHandler.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\goopdateres_bg.dll	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM46AE.tmp\goopdateres_bn.dll	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3da0996a8afda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5d56696a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1069595a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6281896a8afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042d43993a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b394a96a8afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088a12a94a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fcab895a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1944	DiagnosticsHub.StandardCollector.Service.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
1944	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4676	f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
Token: SeAuditPrivilege	4116	fxssvc.exe
Token: SeRestorePrivilege	5064	TieringEngineService.exe
Token: SeManageVolumePrivilege	5064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4384	AgentService.exe
Token: SeBackupPrivilege	3244	vssvc.exe
Token: SeRestorePrivilege	3244	vssvc.exe
Token: SeAuditPrivilege	3244	vssvc.exe
Token: SeBackupPrivilege	1476	wbengine.exe
Token: SeRestorePrivilege	1476	wbengine.exe
Token: SeSecurityPrivilege	1476	wbengine.exe
Token: 33	3720	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3720	SearchIndexer.exe
Token: SeDebugPrivilege	4004	alg.exe
Token: SeDebugPrivilege	4004	alg.exe
Token: SeDebugPrivilege	4004	alg.exe
Token: SeDebugPrivilege	1944	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1568	3720	SearchIndexer.exe	110
PID 3720 wrote to memory of 1568	3720	SearchIndexer.exe	110
PID 3720 wrote to memory of 1936	3720	SearchIndexer.exe	111
PID 3720 wrote to memory of 1936	3720	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe
"C:\Users\Admin\AppData\Local\Temp\f6055f8344195cf8b2e7598802a8fe2a16ed9ac1198174ed15ffecd85ca0364d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1712

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1812

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1128

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1568
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
20e43a26afc5778e5a54b93522a9a0a2

SHA1
2e2bb2523cc321ee0d2dd7c9b9bb1ad9b7b3e865

SHA256
12ddc50aaaf41bc7221facf3eff5607e6c09135a13773e817bf6b691ab8aa8ff

SHA512
dd93a8052ae9fbb6c0a77e6b1b3b27e3462ef889c77d96128a00a062589b0c0dd90941c6d6e0a0706427f5644494d29f678ee764b8b3b7c160a316884012ba6c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1c3f8e9dee9dbc024d975c8bb62a267a

SHA1
ac98e27e47dfc42a8eadc4ca29c365b3ea9974d3

SHA256
492f13124316019bd92b0c9e4f9b81af9d9de385a621eb48ce85f7b9d5ea149b

SHA512
c9a8645dc48a7fc71b3deaf45f46afbd4aef1515a18f4b4a245b3ddaf0da3f15f0dd56d68ca9198fb64eece52b6369f1dd8fd26d2f72ebe1391d006955542268

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e6a95c68539d233f47dfbd437dc9d2e0

SHA1
47132121dca810c0a80ba12e1c1f8e588792c348

SHA256
97ddb7ed4537d4aceb6820dcba5f11e182b571d1a907b1da2a6c0ec57d8368cb

SHA512
d3853d70a5272a9b6f9f6fccad55d080e22d16fcfd20e6b396df62f44d87674890fe20ff48738ece7b6869e0c17a602ec0755f80c52f0b8877869ff5aa496341

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
76bf20d18cc511e9370cb9d715d94367

SHA1
926a5971c7167b82582b679c06932bf3a9423657

SHA256
d1c2cddfa5764ab25f0c1d500f3f0587461d3eb22aa5bd02db6ac0b6c806fc41

SHA512
5ed3d097678e4c7c7e6f18e5d729f5c34c632a8d27d12e64d28deb1e54531e8bafc480e0ceca1760dcc0383fb06105bc3d7ad87f65f660aef5840e8d14f95d5c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b71b6358057926687c8852abdb97368e

SHA1
b7353895debf0c81a2e220250b3eceed8a804e85

SHA256
1c89df774e13ca0f8c417991a24a90d3a8a980bcf43eb7b91e4e0781ee8573db

SHA512
80c44b8fbc980f011a1c47d48dff63b522adff46b63925e99571555b40682b25b1c95c7e96422e0ebaa0064f11e15c1cead7ea48f1eafb1ffc15f9438b17ff67

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
186ec56008365ce26bccfdcf62c3b0dd

SHA1
928f11f61e931f64320419001a2d05a3d7b720ee

SHA256
6a98533119fbb4a7483cba844bf5894a547414123e23c94d30938b16b6484f08

SHA512
3ef9ea84faf37534c75c5f4e1bc84004999c644bed00f2176d8b4a4d43c10efc5cc7cfa696c8f2bc46d7c30fe36d81f3fc3b2e8180dd2c7b1243cc22127247c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a306485c367f1fbe4fcaafe758342a45

SHA1
3c7b6acf43cbe9a4d91fca5c0f2670cae339701d

SHA256
c3cc1bcb37191d4e588b168243b131f33206fac4aeaeac518ac58b12d9a7ca65

SHA512
80e2ebcfdf923bd40c7fc420530a66b40359eae2d3768a3dbe34eb26f95d142f1ddaa36ea93b1b9139a0f2828ddbb9ff42fbcef34ee071c96c178f998accf5a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e011eaa9fc0bbbeffdaf6cafecc64d20

SHA1
8518af8ec48b7a1eae32bff0839637d9dad33304

SHA256
efd290fe2e574006f84f14106ecdae46ddaf747ceab02085fd4133160dcf16ba

SHA512
86525542fe9ae76885896d2538f98cd735c6ea847bb6bd5b321fe963928c2e474ee699b6f63148e56e41c61b3f4a2a73eee32233afa8b17b710a4f4bd7ef2e72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8bbe383176318ae3ba2715ab474590ef

SHA1
4b4101521ebab3b1713d5f6fd78f9e14ff58bd86

SHA256
6f836ffc2296100013ad28fd8805491bfe6a91b7511639489198f7597b550a95

SHA512
c8cafed22ca69175d5edcf27ccd60ed31e490e5c20330b42d4c238794da166b82742473a56bf85f3542cccd33a10852b0bee215bfb86527e1e81ea948383ca2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4b2bb21fb31b3e0df33ed1c0d728dbef

SHA1
42cac62487be221d06076765e9a6e45b45a67c9b

SHA256
6b48773e2092ca323c245491a770f0513cae469c55f703263aba0a30ee379c57

SHA512
76ca0ae74a5f3b3ab9f37f2075bf54c4a726b0efc74bc2a125a04b47efead83acd5caeaa1de7209f962810aa8017eaa7b60526a7ef8666be9981522cdaf5b7bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7d647b135d4f9ebda184086d9a73a76a

SHA1
ad0c291560bd9a56c561e6e82050a12cd2cb6d31

SHA256
cee5f755934f342b71dba34e9f585c50f50e872cc0f815ebfd59711d802a3cd5

SHA512
f3a94d37b43f090db7e406cffe48f8d512f1f937f365a54e5cc7273b733bb56110804e1c5805235d0a51d13c0f8455ff225c6bd339bb36896e3d69018e7bc43d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b8d74c24deea9a519d4b44b31358c3db

SHA1
f437a9c1bc53483d31f238ffb0d58ba3bf9d94b6

SHA256
ba0702bd714421b9f511933869bc28878a1d9dced3dbbd6c5538c63ce6dd84ea

SHA512
bfff23ae75517d89c7625b0c14f30328378d31ccc4be3379b2a9ed084f7a32955a215e5a3acc06386dbdd14fcfcb080878167a17e5ebb3950d3c59669494b1a6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
6b5076174488fcff420a0894b171ca7e

SHA1
11fe2f5a9fe2e2b0aa257d2faf9dd0a9a13278b6

SHA256
b3328e4caef081aee90b2d8ca20d2d6954ccbd41ddfa7042929fdb9330d3df96

SHA512
66ff38962c5fbf839a94135fd72aaa8f8af1c03867faa267f3ce45adfa392d78d17032a2ff662fbe47ec4e9f43ff591308e964650b3926d46e5663ebf6612c77

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
7f376d2ba124802f7e22d33d8c15435f

SHA1
4e417c74ca3f1ab362843004bd593baf1543d82e

SHA256
e542946e0c9076100213da1810f9352425496cb14b156ac140dd0f66bb612dea

SHA512
59f0f1f9f541ccb05452c682b150c7d9b9dba37a32a131b1bbf4a01aed75b184e5b4e07993ceba3932e422dbd561ed19e52fc23aada13469c5dd0f81a68071b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a20ced02333c058985b787edd29ad702

SHA1
af9bfc6f32562591758cdf66ce9f49f2fc9e76ee

SHA256
c5213286d31e74b8e553dbcf5aecc562bda4591e3d67574bdce7ab63c5418655

SHA512
08d7c0674c9bf44619fa872876e92b14882cff612da67df2875fb5b516227923615e9329a8a7d11b185560b0c42fb963ffd62b504a1963e3252534ee3a87704c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e37e1cdfb5138f198837dd5409ed46e7

SHA1
544894a12cfd9ee7f86a7c18d38f47965699b955

SHA256
08c655bde4762488583ef848fc51a4496967a7d9d3e9d8492ef22f0483de93d4

SHA512
24db089403cc994cc28ca2582b30022e58c9bceb382c262f39aa088d80a4769b2da8752c750576db4d12aa4a3082dbb11936eab52ad7705d004495b02a0d22dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
dabc4535e55bd2b182c7326a61b26d83

SHA1
b727c7689ea375d742bdf39785455d2d8247f10d

SHA256
f6bb48ae58840c005686381528af61b9c748190fab78fa5fed74ef5392a13f3d

SHA512
81d14db68d4a297fc3537934d1bc354632ee90eb8af0b38970a248251f82adc51e2e06b4e2c037346df471fb4ed4b945f30048a6d98fc64f5117dcb248fe73ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bec7bc69379ba182e8abfa8bf56500ed

SHA1
5e5749a31473d2954c840d332cbf40f55b95fbc5

SHA256
01d87de380f4972a9702578f794c3581f1e7b47d897a1651432eaf15992d0a06

SHA512
5f5d864028fdbe0acc3296efd32ebe3809cbbcd6f6017e7af19232fb260e49db292e65a5d36a8d2f17712a5e6f55cf490048eb0feefbe7ee83c5fecf83f181df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
89dc846666b6d1ba0b7beea025762afc

SHA1
9ab8d0e892480a97db71c55695ee635ca3c00c28

SHA256
5438ee6cfd2e805dbe37c794560477df877df0a6b6320352bcb57d05f815938c

SHA512
6defae02dfe29b44ee0526f78e414625ff53359cbded9483d1b29a7d12fb587517ad522c1975b44bccbc6913afa9bcdf5438c72a8b870c4cbc0fc27ac0221c29

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d978e3e8942871b123b57d356c499fc3

SHA1
48799917dd9804c933651e689bc6113a0206b1e9

SHA256
0f1163af7fb8b8385f3c5b01dced8c076c75526f3bdcd96b34d012a58e22d9e1

SHA512
563d2c8c55c24a8b4f4283dce84661e80c35e9df879aefa4541c9e8da585727bb773be80f24ae8d2c7558c488e686218d2d686bc371ace58362e97cc53d5ec1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a3fe4255e6cc6d3043532ea63f5074e3

SHA1
553890fa83b001ea591d7ec68fcbea12eba4a7d3

SHA256
2da41d4f9eaa96a9ea729ecc13f5d53609a40be6b4b85a8d4532d1cebefa028e

SHA512
6dee43f0053d46f1ffd15b26643e36be06b072ccb11aef62a996c69871d9a1fe20ba93742cae961eec0f26433b566a6d0034b7e4484da08049b4ede93bad3a9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
19bff43c5d54036f5aa1857d74b23674

SHA1
ec266297e72fa413d62b2aa883f28f7078ee49b4

SHA256
834413b0646a9cd3aa11df7400ed81db36fd67c844dec8e66341282fa4a82650

SHA512
1bbf42e97030dc53f2091414053ec93bff7e6e792829c6e74015fab43ff1b64db7319040050fa88d04b3eaef0e90310808eaef6f128bec1b654e705a5a221083

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2bad1891929a42d81e11daaedaf97cf0

SHA1
b97bc8ac8059c7401af6231ed9b701f133de84c8

SHA256
314a269f88da675ad7d3436f9169c6e5727510db0e995923ec6beccf37836edb

SHA512
3cb173cf0706f88cc4c8db2ac6433f54848d493fc49afb1f5b5449b910b703e0b022ca8cefdbf8f3a8fb7cf72b3d4ec015d6a6f9c61d843ea846e971f0127a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2726e1b3a8b5a485a98e7b295d829f8a

SHA1
8493deea94f11f46b609a07d4936879bc31b892b

SHA256
7572755520b1129d6d9ef57fb7c7b902fa6e47abc5cb0991489de86d6bdbf494

SHA512
eb9d48d1728f76392107922e370ee87728533f72db5b954e7620dae8758a78f8a4bbf84a6c9ed937c75e81cbf4804c4cb4a9954401e394b530cfc42993be48f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c81b94d87a0d3f83dc44d67012012495

SHA1
4c243558a84822ff1f5f37d8c1c864e2603fa5dd

SHA256
280477490a834e4fbfe70c6c841ef3ae02b39c6b1d38abf945c5b4baa393fc67

SHA512
8ac7b6401eb5cb1f975c3842dbe69ccb0a6df6dcd863906b566301300803348875218b3fb090e446ae37130788898ff21405b0ab627e14a7db4077946e348a00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4b86e46c6422ca8d8bb1692c635b1031

SHA1
7d780ebfc7cec68878ab1ed435008bc816d101e8

SHA256
0560fa45794f3368a593b2795d8d84a69e87e76701e485f555a17174e6e8b060

SHA512
f13fdbb8eff0c42cdd1d41a498a1f375c647c7a507f2360f565c90360450f15299492d7d5c9e4e42de7290e2bb6b3d86aad1cdb32c90be26648be6662a961054

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
788f83daefb7d1665f239689c4d4706b

SHA1
84b6e3501a6b222b5ead47d4f4ec7824d0db518a

SHA256
06a9471b198769d1d4b697647e4e8633e7a0ee0821d5cce9c51e09dbde359218

SHA512
81491ce64adf1d413be348a067071bf34991b6d15276d475a3e2bc2cda23f1398761b2acd1852f887a661ec7cbdbf30f0e1ebd2bf6fcd592faf01d61c06e5147

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
d5724f7168d6284ea43fc0aa3e8ad3f8

SHA1
33e545021726579b766c84782d0cefc83a007988

SHA256
43429f99a7b45e7674c20629f968c300e67fd898c66611d5ec0dc98e5a536f20

SHA512
ed3c80646bf5449538e55a73606877d76f641e428d2d9865d59ce3ab2f0704938aaa1c6dee8c25d899971e55ba780645f203f19c7cb548e8305a74d9ca5483f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
96a57dd4bff071dcd4afc615f7ff815c

SHA1
d6f227803f428dbd9630630ba5724c03272f84fb

SHA256
1ad797cb64d3e7190262cbbac31bd11ddd4f6fb9843608ee653e426e38cb503d

SHA512
241ecc3ce3ed35163f2d75e4fc6e1245c2d1c13b273664788b622c20e86549fc83899ef170d825b3c98f7dbf7a07c95216394d32ad17b374f48b3e6beaf1f317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
32c5d6cc3fae59e80041ef4c063fc34c

SHA1
2361785d041efec7a8fa829400804cc35683795d

SHA256
b57720cc5d6193d5bf9d5dada9bad4f52e8d88b57977dfefee8355700ff2dd2d

SHA512
b827ca0129811ef3527320480060f8a3ad6a87d34cecde212206ba5d0d079eab25c19debd1c2f480c3c810349b9c32e229bcd68ce980d534714481268f7ebcc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
77e96dfaf189255bd2f8f1cf7f482acf

SHA1
02a39786e36b7e9da730a2a8fb9153cbb25123b4

SHA256
561c8c509dd878208322710417a15f117e52e45f5c60bbcac9cab76ab6ac4bad

SHA512
5bb86b91293e90b452d9e2ffcbda1cc267b52550d3b814a3bb9030a17fd5539d4b497dc2d872d5cb6d720b552caeb0864c5323e91e3c6ce8f5131153b9cf187d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f70bffc4a30668e349172cbed39b3d51

SHA1
98570aa26c55eda98e02d2fd835abbbacc9a3b14

SHA256
37d7497be7923ea08c102d003c5349856da34947ac50ef4d1fe53e353b53186c

SHA512
957f916afb4702a7680e51703f29b9c1992f4a969e1d2ca857a0810d3c6f878823e31cd213c54be943f8e661b4dc46580a45918a497aa52c7ecb6290368bf026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
917500f864245f7911299c47c6abb9c0

SHA1
5e4a1fbbfebd8f1e4cd1c521a0544452b0361f33

SHA256
d0e2488435aa98af5f8d17ac56259d9772e50cf6895a9eee3ddd0c8162e559cd

SHA512
262598630defef56c3b14b1b7be4d49e314c5baaaf3800b2e4012f738cdef19824120a401f0dc147e88e98e43412243323de4ba6ded74772d82026dfb31cb7c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
be7186177a920be94eb38661d83d980e

SHA1
2f6e06733630a4277082f99639ac34184cec8d28

SHA256
1936a658fad7bc52da376f9683da918368ea92a03bb810832731b1c557880794

SHA512
c556a99a18ab7450e18eeee6127041214e8861c71f3b985faab98b64d7852970d4532abd0ad19b46d6744a168e10a69e797c6823b5a4647cff9ff5c3dc8801b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a178fc7d829ba853914979fddfc39ee9

SHA1
4ca678ede4ee6607bf51d955e1eafae9bb85f6da

SHA256
31d69c8d935ea256dc59f70dbceeafbe32fc01c6d6a691bba6e770bd271fca3c

SHA512
07ce0a3212eba7b58f48c6fc65aba9bc8cc665707e52ce9559c042138dd00fe3d78084b74a345d4740fcce1bbeac738e6c357c6acdd8977476ba4bacb9d6cbaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
280e4d38222025fbca1b56e487b78c95

SHA1
ada51f3244b6edfaafc50471b8e548989232a3f7

SHA256
ee451836954489af86b253ee6c0c748c8434018345fba0f986ca82b83d611962

SHA512
fff4f617f92aca2108b75e33caa1bc5b839fa694ecc5d577a1411e049d8551b9ea3dd1289dca0ff292f7798ac2a8970bf947e7fd7788c41a561d4680d09842ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3347729418f47ec78ee58761bc0d99f5

SHA1
c8699e8af538854ae60b85205073e9770fcb9f12

SHA256
11a8eb851e0eb2d36f9aaf756d10a66130832d33cdce582aec960f807ecf79b6

SHA512
9be3d618c4e9332ee7778764c0cd8fded4e94520b53d5afe0b39133fea212400b829e0c989c6717664fe8aaae55ea3482829ebd8f8573ecce06ab63d96f9b331

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9ece67f393f763b0260433473869d182

SHA1
5f655469c7565056f8c8b2acbad095de5b4d8951

SHA256
f311e4d06de175e37174bccdf617641db76fea4cba6312714538650564d00cfe

SHA512
a983c14697a5894446cf28a7e9d60371b6055ff0319435072607b33b2fea1703e020cd8a817a4b7668b12c91bef6860d60ea82b686420a90c494d142ac1a3ea3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
e38ea20f6b172185c5a97cd84856c5cc

SHA1
d90bf527b73a062e287adf9d604d59bc2d8c09dd

SHA256
7c4f320570c0fd5cf5b97261dadc5b087e769273107a18f149b243e9d4423118

SHA512
5586c4dfced1515aedc1acb912bc2f1a271f67d21c7eb37f41cc251f6647f773ef4b43c9ae94880f50294c4c618b9f2a79a9816ba97ce49f05e164d5fbc6f4a9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1baf19b9ab64b53846a73c82b8cdb7f9

SHA1
29b9bf4a41b360e31a9bb5820a39a47ff94a0f86

SHA256
c912a50db69f36e8746dbe9908e1924d5969cd3a5bc4f09667198de6b8b76a7e

SHA512
d2239468ab7cc155ae29b1a279a1b47e525ba5cc5f252a8a10460c67d12c3f6ca8aa8da09748d614fca9bf2aaa15f91eb9271cd1c687f4e0fe1413d834101dc0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d299792071080904b993dd9f3c70c553

SHA1
19967ee1d19cf6870af6ff0ffdd02d9c61399262

SHA256
11a94f4f5ca368f0df2abaf57b52cecfb972cb6df4fd305ef47d036877408bfc

SHA512
56821bc7e784c35f253f33fe302062a7eb0051522dbcf9700eb1c90ee25aa2bb8596275d243ff45cdec274a68c4919f399feac4225ef89d8bf506a9f09ab688f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
68ec8aa06fe06aab253c6758784e162c

SHA1
6e5a25bb137395fbdc590bdee5542daea55ebcef

SHA256
c1ebe5eb544ef4310fdf89611c06b0a5c57d7e8565f5e4dd4fdae446e3723bcc

SHA512
da025043569c7bb0596504e43ce9c24545c2fba3306a84a14b1b7e5ec809725b6ea0551e3ac29e818ba45a2feea9100dc06b0506b0455b861da945d1229a0eaa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8c4143d7f27d053130a0bb9e9df7afed

SHA1
669d7b0c03f988e53b1d2e4dd50bede5c2fb5afa

SHA256
d4fbbcf48f54be744d5fdd0ada2f3cbce49b983073ebd8678f16045a61ec871b

SHA512
aa0a833206dd2b07d9d516cff24e1480c3804aeb91e321a641afa72f5555b5628c1cbb1623943239977ed553761f7bd7be2a8f49cd8ccc7c757504cba50a2f0e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
07e617f92b1273c74a9f43e1b8df35d2

SHA1
153b63f35f3334cf604b228d5d67475e335c83c5

SHA256
14d38ec56ebd7af103093e3010b0a1ea59d4d55e64be73d3778452d27d0997e4

SHA512
8c2f5815ed94d12ddb2117cf495d52019f09b64d10173b3eb2250e3b13f8dd8ae30f6718baf05f37ef3da199af9befd2c6d1af75e4675e04dc94556b433b7535

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
59110300638178e15012e167843ffccc

SHA1
21685f63555894c6a775942cc5a94e4fcc821b4e

SHA256
10ad6d6dde9fc933b09718643635b32f4a3acfc8a1e300df212ab3038b54f3e8

SHA512
67af2611f550db7bfa43112b9ca97c69384f40ee48deda6558fcca1a458475053f6fecd77e7ff9229280a64f9ecbb1b55840d58c3c0889f11a93f0198badddae

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
f21ab66d5b9e8b9994398b59b4d1ea76

SHA1
6e0c8ce297ff45239e53f412bd1cd8453c0a9a33

SHA256
592b57f5b223bcb0e41f4fe6ecdf2f2c9e3533b4839c96c51407a877bf24a47b

SHA512
50935a7218b646f3a111d79248b4b00a1f4082ebda07f2e2ba06d058dbe197a616c7551fca09f4b1f81b4152d457017cb9268f04afc86714e6ca0845564d2c7f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
750cd682fda6c809953b01e56d73b056

SHA1
f9a6e6c8b309769543a7fac4330f664366ab2c1a

SHA256
843db96543b1eac75e5e2c1f2fea648456214ab13cbe1efc50f1daf4f33c3649

SHA512
d69f3de204557f01ac2f717b2eed36cee4d9e2518e079a736564c22c1d7b266a7c91cb690b7b374368fae66c0f720524b403ffaaaf4b99d03d48fd9248161bc9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cad1e0ba815c4e19fb3edf99ed0486aa

SHA1
2048c2c8b82b1f67de3918c085fc529cfe80752a

SHA256
f8dc230b390f1e87a525fa88c06c4e45793f34e1ce7bc965961c190e6845d7fe

SHA512
a270464c784f5b7b1fdabeab15cb3ef73ab61c82b2da4d1de10eec10780af97335cbd4c7918ef772c4933b77202630a0e53e012006614ea5eb591207f55f2cd5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
64a59716c145e9b76b720a92316f1146

SHA1
d82ae5aed112b6759ea28ee50213d82508b372ef

SHA256
7d9fc278f4889b1e9a193146f6b84b31217ee97a87531a9f8275636e76842331

SHA512
741b741263c53459cd6ba1668c72283dbe1c576daba416d72b612a6a696a7e2bb069df982a6b58f280b69320a1997a309689205d36b20b637bbc5851da4ec056

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
abfc98afd406ba3643cbc83731ad07c6

SHA1
b8df534b3fa379ea69b624569bb5c0be70f3adf4

SHA256
ea5c3d0a3c5d5ec0e1e01370fbadc8fe62524ec6b3074763b78ff2efe3661a04

SHA512
db6205a7c73d0988e09954828129e0dfd53a2512f36048becaa37034d490417d6feeee7ef681304993030a8a0a7b99c8b0a02ebae969632e8f89f715215827b2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6f34f727853cda5266e8de4e6761c854

SHA1
93b1cc1bfadb4dcbb58d0193f543522478241a5b

SHA256
c69711eaec7ac07adab5cb66f0634101edbf4bcf805dcf03e9f24e70aafd4f63

SHA512
5dce84903a93c3a426e0adbd131885e6e472755b3b5b6e4e0a5ee97bcf70f20fc8cf40f4fefe6619cc89d37b9aa5b0a93666634ddf5e19915c3b9081f7e468b3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0040c83ee1775424e0f09a0dfdd3d478

SHA1
8af22dba65639931a1bb1c926d6d048d43338ca6

SHA256
10b7a1fa8676769e7839cc76d4281130f2874c505c28df0de2cb70e6105363d3

SHA512
31e701a8d7754b9838118c61147276c7f8957ad22d1823ba3f3e5bd01a77b2a1623a337023a62cdffc5f4c6286001d3f7e4b9365f7aeaf046b5083b042f44156

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6213dcc50fc8892e3a45268e69b86d04

SHA1
aa85d9f17a661d64dbcd941456cabe5a4d62e939

SHA256
62e5454eb52b6e5ed3330a4390786b9f54d8260de4217ae6fdaac7ef5135a32f

SHA512
5760075959179fd501d74effd8fb43c3357c53dcf7a113b66e7ca738e33850ca367885bf1f813eb4d28bf7167748c0ce9a4d07e46c0d8f0843c7be6f55462df5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
19b726ae20338fd7d890d0207411b930

SHA1
77621bbfdd612a5fbeff6d37cd330bbf57bf43ff

SHA256
3be5c8c19658e7abe24337c32fca968aed65340b1168ac4b150576a60c562985

SHA512
e066761ef43ab8b755dd218036f44ddb7c8adaf488701e10ed8f69a64124acc5c9bec445b3fcd106a2019ec958aaa69e9b802dc0747baf67f36b62812cabff26

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b51995184518ba3d2be96df3a182e1c5

SHA1
dd31dce95c72b63315989da64349d467a876d976

SHA256
102c76552d49d2076f4d99142f71dce36c969711ff1f5108b52349519484ea9b

SHA512
279b674d9e56e34a9662470f9c7c93980045cb7d51a75a4940b6ffb47ceba74432bf1b653b23dfaa12cd0134006de56a37c32bc45f142df516b6d1495c43f2fa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6bec126e18f11f89f016696dc3f2ca6d

SHA1
6e1b537807907ced6a57fa671cb4855b13be1e2c

SHA256
b17bead07eba5671bb21fd68444ecfba6004a538aabe47f3091434a55a002ca1

SHA512
1cb4ad81db328bced925ed130c5b4465dbd04ed5f40f925d9f0cd218f9999588fb53caacb4d469fddc3d4cdfa8c8c4a9417b1b214340a3d83bb0c93baa1cb78d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
da747b708ab105b74626a0a61eba57b2

SHA1
60579e3bd5e90275cdfaef7b50444a5ce163122a

SHA256
ce0440d3217fc8969043b4fbed9b8bb596c3782cbc608a147ab38b084ce42b78

SHA512
885e14734fc9525f1b5ec9f247671897885ddf836f3ef15debe14555f3c89ff3f00886b79a2b5c1ec7a121e1c5cce205180e1a5efd3a918a98b63c0f86f7074a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
081c5a5d4d3366ba3803477a56b04a50

SHA1
579df1392bde3c41a27d5fc729c337045c4c0623

SHA256
ce4ab2a15da087125911c6f260a1befa3cae99b46baaf6e4869432c346d603f4

SHA512
a6f189aa006dd46d00931f56aa2d15e63b431d0860933a34078653e8f4d5c7bb0d5f1cd131745281fa280017cf7795b64813e7faa63d7c3ed344cc9d5d1136ff

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
4b76b313395bbecd6e0a4bdc93c660c1

SHA1
c6f6e21bb1e4bc39e9646815b9688a3d224357f8

SHA256
eeca61dd72bf72bef7c1c4109a68d092bc29f00e08e6dcb96fae40a850f2b457

SHA512
2a9adfb54f62f3421752b176d4b4c2ffc292d619d04bea1a6b0f33b8fd2cfc9fdfe91c385be04dff7d535e42eabfe8a906fb437994ba7d54ecec40ddcdef9493

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1d3cf3fa231aa14f3b6b3bd52ccf76ca

SHA1
0b83d84c6715e9ce9b93c8c6f09c1aa7955cdda0

SHA256
e2f70b1a55c1e8411c61c3823782938b1325ef1341706b675522f17c7aba3ec5

SHA512
f174e9b71d9f4cc2dc095e504787be4c586100dd66e77c330d267a3a3b37f15b731a85b855e5aa44418c88c749bc5ddf1b661a94dd7831af6035442391e76b3d

Download Submit
memory/216-116-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/216-789-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/216-122-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/216-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1128-257-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1128-655-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1392-256-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1476-346-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1516-344-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1812-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1812-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1812-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1812-790-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1920-142-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1920-152-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1920-154-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1920-148-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1944-342-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1944-86-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1944-102-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1944-101-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1960-255-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2944-793-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2944-259-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3148-258-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3244-794-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3244-345-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3344-254-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3720-796-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3720-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4004-178-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4004-27-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4004-23-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4004-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4040-260-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4116-129-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4116-112-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4116-107-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4116-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4116-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4384-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4676-6-0x0000000000B40000-0x0000000000BA6000-memory.dmp

Filesize
408KB

Download
memory/4676-612-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4676-1-0x0000000000B40000-0x0000000000BA6000-memory.dmp

Filesize
408KB

Download
memory/4676-166-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4676-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4992-167-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4992-156-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5044-179-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5064-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5068-347-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5068-795-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download