9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
Size

1.8MB
MD5

0eb98b8dbf57fdd49eba28175b8b69fc
SHA1

5d369c4dbfc24ac4810a428a67d06e999c2e14bf
SHA256

9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c
SHA512

9ec2157b651a1dfa33b7363ed993341c2260a910326b4d55e3b6ff64b90135da795e1b0492c6e6d7a3351a71bc837ec2b11cdf0a6423ddc8eec1f403e476a916
SSDEEP

49152:Px5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAhCks7R9L58UqFJjskU:PvbjVkjjCAzJQC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1800	alg.exe
4396	DiagnosticsHub.StandardCollector.Service.exe
4132	fxssvc.exe
4940	elevation_service.exe
4256	elevation_service.exe
4424	maintenanceservice.exe
3604	msdtc.exe
4984	OSE.EXE
1664	PerceptionSimulationService.exe
3960	perfhost.exe
4616	locator.exe
1556	SensorDataService.exe
4512	snmptrap.exe
3172	spectrum.exe
768	ssh-agent.exe
3672	TieringEngineService.exe
4608	AgentService.exe
2688	vds.exe
3732	vssvc.exe
4960	wbengine.exe
1348	WmiApSrv.exe
4308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\System32\alg.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cf99578293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\System32\vds.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\locator.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_fa.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_gu.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_hr.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\GoogleCrashHandler.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_en-GB.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_te.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\GoogleUpdateBroker.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_cs.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_fr.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM55FF.tmp\goopdateres_iw.dll	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd2fda5243b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1f8354f43b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059187e5143b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009691dc5243b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a657c25243b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003104305343b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000167a805143b2da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4396	DiagnosticsHub.StandardCollector.Service.exe
4396	DiagnosticsHub.StandardCollector.Service.exe
4396	DiagnosticsHub.StandardCollector.Service.exe
4396	DiagnosticsHub.StandardCollector.Service.exe
4396	DiagnosticsHub.StandardCollector.Service.exe
4396	DiagnosticsHub.StandardCollector.Service.exe
4396	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3252	9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
Token: SeAuditPrivilege	4132	fxssvc.exe
Token: SeRestorePrivilege	3672	TieringEngineService.exe
Token: SeManageVolumePrivilege	3672	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4608	AgentService.exe
Token: SeBackupPrivilege	3732	vssvc.exe
Token: SeRestorePrivilege	3732	vssvc.exe
Token: SeAuditPrivilege	3732	vssvc.exe
Token: SeBackupPrivilege	4960	wbengine.exe
Token: SeRestorePrivilege	4960	wbengine.exe
Token: SeSecurityPrivilege	4960	wbengine.exe
Token: 33	4308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeDebugPrivilege	1800	alg.exe
Token: SeDebugPrivilege	1800	alg.exe
Token: SeDebugPrivilege	1800	alg.exe
Token: SeDebugPrivilege	4396	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2592	4308	SearchIndexer.exe	114
PID 4308 wrote to memory of 2592	4308	SearchIndexer.exe	114
PID 4308 wrote to memory of 3756	4308	SearchIndexer.exe	115
PID 4308 wrote to memory of 3756	4308	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe
"C:\Users\Admin\AppData\Local\Temp\9166d44aa02540263ff77fb2c8c3c5b88077ece5d5dd23fd661f84cb1dc3061c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4256

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3604

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1396

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5d592cdfe972f562936c22204d58cb7e

SHA1
85193036efcab0e5b88c80009b06c8ba5002dec2

SHA256
91f3fbec421f3fa432682ac14cf7356e85d6e5caffa37d6e3249073b1d979bdf

SHA512
4332034e44540dfde039414a1a773b9e7a8125950f290f1a9b085d04c8135a3a442d87e20e79f1e7988a68098abdb4bfa6a61fb2ac60c9cf032c704ff1cd26b4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
b8e41fb96dfbeb9d59aa6bccc942d966

SHA1
6cb6d0b6cc32c04069d4c495ebf52821d8c08789

SHA256
a8a3ecde66c4208078990bb7ed20d1d929a0f62cddd3b69d941dbe370a55365a

SHA512
3ba29422994bef003291b01d84f39a00c1c02cc03dfce45c67925f67a8817897e849afe6698d1d57d9b6d936df12f76bdcedfbcff74d5e6d124d737feafe220f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
c742f09694a9e365f065d1cd96b1f6eb

SHA1
b088cdf48440087d08386b2113a61eb515d32b88

SHA256
88c28abb36c9bc3e9978041c4f001041c182a83f57b80c14bbe2164fa89e57e3

SHA512
4c9cc93e3291dd6d12e4798918e631b66acc9bf0f77ed00393a30701376f347df7c2f6fef0f30bcd6aa75f4f45a234acfe69b4d811780d6d7101223396d494fa

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5490e9aa3402ac401dfaf0d04381314d

SHA1
7982fa6ac2096dcabc03092f9e414dab5d0cb304

SHA256
509e019ffd395c0b75242bed560d3425c9f27789020669b1e7c72b9f504a9e0b

SHA512
955b7386be48d88adea276c659636dd9253b84ce69a07e7d1f58c844f28ab1d701d45cec1e3394cd9ff5ed268e16c5b3eb337adbea37bcde1d59aa071ef91530

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4f19eabcfef86927d65c28488abea996

SHA1
e4dab7078c375b9287c8e84a1ff2ddce3a70e6cf

SHA256
8788c5fae11a53d0fecb3dd1ac291b1cd4c108b99021513b6330f4a6fb985c21

SHA512
6e47ab94a91402c64f0fc89e04086d98e32b4f86cdcc037e462ddd175c93beda42ab7fbe1bb7df8661069334c2a831f19a3cf789acb34f8125f1d04adeb8d473

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
822a54d3b1d6266f8c4c4de45c686950

SHA1
2254261b718b1ab2d87a76c9a0e97c1b34ab33b6

SHA256
40a2ca4d1351f1f8035041ea91e89c3d11c69e5afa520f8a18863928da274847

SHA512
3ad6b641ede7c60edf132f327d41b140b26b66534fac2241ace68fd4933964f9cd69a5123e5e7f1df14988cdc5a5f8e13e0938a714f6b80116c37f8b0f9579a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
e8f78414e77894b9318f90fb57ea2d52

SHA1
4f418a2ee336caaf6812bc178cf9df3d751a6ca0

SHA256
f2f35bf48fdf6b8047fb62846e517447e724cba1b72618897b17d7eb02bd209f

SHA512
641b3b475705e292676486551072b2d6730e2e143add6a09e3045ccf7f534214b4e3a2f20ad748480c29b72014c1a3d4d0e344daaac49e6ce3058b44705b467d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a6e15ac873614c5df6bb116fd9ae7850

SHA1
93d675380ed62c76d60abba48ec77e22811a0825

SHA256
24284eb52316dbae7a07ba602940e3d447528d3d98b624f4f854330e4445cb3d

SHA512
f62acf7d442fa690c2e22e0e822f58e27aff70cd226128313f3c65c6c188a65897509b701c071216e560990cbeec27b507942b79b9ab7d0c6585cfca5f666fcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
a3b0ba12a6ca828a772c8161200f9455

SHA1
648b5dc66a1e4aadb5a6139032923a9d940b7bd6

SHA256
8da5e8b6734cd343e6784a6587d04e29a32b05f522bca0314c3d1d07aac960eb

SHA512
a02fb0ab355a94f4a06a969e6ef49cd0489e527de8c65ddc4f2bf904a0279539a350408cd5d369c04b7be8085a6f2552606e29ed336eb0ba1c5fa1d2a4cb8608

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0fd5410b90a71b28d7604dcd3c4591c8

SHA1
5c3199217fc8ad0e1e6d6ab727f185a9d2d8f907

SHA256
5aed5a0fd1b05d68d59705cd74519ec6e36c931ce4354dfbb5351261ebc753fa

SHA512
64506bbdffc6e83f3147a58fc483f8c1709ca45a8dfd8ce319476ae8bec635ce4c40134e9dfa9aca4ac3b1aad716ebf254686f7a5fc0b533a85337a7f2dab6ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f4ba80ffb2c3ab672c3fe7813c25e13d

SHA1
ae9b6b859dbbfb60097b6adc8d42751c3e5f655b

SHA256
00311a1fa8c0a54a2c9e46cc4391dfdffc5e739838e4a2d82461a326eadeddc8

SHA512
353d559e34a960338ac799172f9dc45195af5a823a884c103451e29978940998a4d94db0e9ee1874185668a6ddda629fb673aaa62d9dbc9c9d58a7db60d860d5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
22a5336ee0f538b1745d781821b3c6af

SHA1
bea6c16851ceb36c694d64335f286620f84ae1cb

SHA256
7e760b51bf729f16ef9e0581ec34cd8f3d2efabf602fd7e16379dfc1c5a28a43

SHA512
bbaf84354e7588c3303f7a853003d4b6cefa78a7d4fcce87a824fdf59d3bc96b3e5776cbd71272f184946ea50513bfda581f950c133d21fbc1acf6530d1e066b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
9bfeb48024dbe820eb7c23c8bdf441af

SHA1
c0d2bfae2865f3b2e2df0896ac5a8d4a5d52ae12

SHA256
74ae1c4299b7d76fac6e421ad08a24e414b8366f11f18693c44d93277d20a1f9

SHA512
ee555da2440abcc15f90d7d06b8900cb26e15b86d4272f110b0ecfcc3bdc64b20cf21c713bfa41d0c39f423efcc7b93514f8d88f5fea5f13b21adbdca1395db7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
b0f64789ba1c4aace5770154aca1138c

SHA1
3e92927c74a2d03ae4043a7f09f7e04b613d4cd2

SHA256
e1065423344641f83043fb07e48b63b2a41c7d365fb517fd708947f2362c952a

SHA512
7c0a175aa621fb6ca858d120e978c497050a0d5796d4c3d124757b9ccc6445881661ce4c59e740463eff6811447f59ae90d7892d9b00ceb20d410949609405bb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c86efca6a6cd5315f753ce4b9ca0128a

SHA1
275ea62652a8e290b7baa4ed27774e716c8e918a

SHA256
ed8ff228876bb73b41ad35202c0a50cf6493f492df2ce445c05b7ec627d95b89

SHA512
365fc4561caece562fc8488b0c257b573a647ae73f3870f3226f63e9257867e24ae748b6d30e135f3a74f8e36aa67fd54fa7d7514ecdfdf563cfd69b3f47a67d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
482f8dc24f6219a7ea87b4a7550146c8

SHA1
964f59d9047a64cda1eb600e3d1f0bbd76e5c5fb

SHA256
014d941d9ced8630c8a26daa7a5c53e670a6d034c744f4e99a8e84c912f885d8

SHA512
8effec10259e8a1ebfa3ac89ae4885a3458f6fbc4319f08c1aef2aaa89000d8b4d92266f20d72ba11e7e885ccf2e406c267af5fe7b9338e17444c53e42140948

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3852382d6cfceff80d170672add1ab9a

SHA1
21927ec868a86755042d60ac8c691139d9b3befa

SHA256
f4a81fd1162969db82455d4c28835affc009b5cdac0a8bf699775fcc6d3b92a5

SHA512
3b9f82eb6fd6545852e5c37f791378968f48debec06b30367fcfe97438e86736fdc5dd904f1ee8be8a445fd2bcf54613e3a46c2cdcda16350071069a40141c2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fca5fd403a4ee28e114bd356b3518471

SHA1
1a2fff3343e1394baffa840be0e9982b0e4434b6

SHA256
e6df475669652b72e19279599cc78a0c0b5fe8a21a6a62a658a4e4b1e0c1fac3

SHA512
3cea46fb0358b2b6b2f078bcafd667d6ba5c6f3ef4b7f4a7f4b4745952c5444938ff8565c127332733ecccc9d75e05cf7ec74cdf35eab3cb9cf33b1edde7d47c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bb073fb418aad0555f12f25071608af6

SHA1
70c260a03f410c11c2273bc2238a8defabf2d9bb

SHA256
59eb8fbc5bf3e9f39923a10fb5c649540df1e2e17b9790ed9b1e0ce04e8e554f

SHA512
b0f9606ca7c0cc1052ebb3fbde48bee00720db6a684cbe6335674ddfc2d3498eeef4f627a74d9cc9b879ee5e769c577107b208ee24b422b81a9b0e43889228d8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
60e85143f41c6c95ccb97fc1331c9f1a

SHA1
71a5d10814dd8f8376ceb60591660923160f3440

SHA256
00d43d2dd1f5c3f3e021aa9ed3f410564e77b06b0edd08cd02b477f6ae3d7758

SHA512
4796da51a67823a0071401d35ca03c18e9db9f41068740e4b0d77f5357a107cb952259b56228b6513ca962f642991d68a044a591ad3393b55d03b8e87bc1875e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
a4aa59c63ead1d774714d1aac8fb8d77

SHA1
8698c078dde57f3763046828e2f0b684eb96e98f

SHA256
71918aef411a61ebce69b616165b71f6f54189f7445bb471876512d82e638143

SHA512
285efcf1bc46a28f5cacdefed80e2c1bcb89581e9fa34530143d383a5d19ceb7b5b7cab9dcfcdb82d7637ec2e668e50088c9b59af793c1d3604a520e6b01dc41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
fb069ea309678b3bf85d544914f2a76b

SHA1
0432b9bcec13ca1a608b3d3045f154b583ac5834

SHA256
7ea4eba81a7cc118bd57d28b2097a1cbf9c2b204fc80148fa969ad505b836fcf

SHA512
79a9dfb562985fe3bdc5cdb5eb7d8c6e370ece9bb91f1fdabd4b2aa5bc4418becbaa3a2458515ec2feaad2609b1f21dc647e080ada0f65ddd5f2d2e76ec59733

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
2c79e297ad2fc2c4321c323222a0c1cd

SHA1
21472b16a3a44252691872f30365fde945cc7630

SHA256
d973a4dbae96f89f73ce0369bf6fe646241ec2cc3eadaaef4391853f0699c8b2

SHA512
a8adc43f77e2f39422165757c3ec45d6e3466a7d6a08346944996e204a6ea735efa42bc6f7bf33519194f3085e78a8bb74a8229c60d97a85cdb6d7bb5eeaa898

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
3a699f5f1b3cad54238e3f4d2a3af271

SHA1
56830a20c1ad8d71f5edafb7a4546b9348f1b7ad

SHA256
e023c64d2ee227bd19d53d5e1f745e6fa2215596354be9ee3a024b80697b5289

SHA512
3f9444be77e9e17a2349eba796bb3368a363ff5d10dbd4e1a8b4e228696fb9fe945c8e0438f5462ea2ef8359b9642dc5eb2db3d16601e31a6633f6e6b28d7730

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
9b476892491f2749a8ef9b9bb3b4a07c

SHA1
179bbe3e8a37a6a2d512ba95b55cc406ea42b82a

SHA256
cbb92168d677820a5ce46ae3505bf9ebfe5fd539e93c4f03547606aecdc152b3

SHA512
d0c5fdc39edf6d98a7c92e95dd2ee59244d87cf4dada1ead8e65d09e5d91e05a82730819c1e4af4297b184c412478eed65a0ce4449408034ee1b310da5fbff9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
914705351c5350e480723619463ee9db

SHA1
d73fb67bc3cb6ae3a8a2bd6f3f62e3da5328518f

SHA256
e5329d124b6b1636265178fae85434a6b347ac66615cb38bfde93a610ab86220

SHA512
ff0f8d2fc42aefcd18d26738ac09ebd8020cfdc3d694a06f80b77af46fd96dae365dedb2433c659a831c25c55098b2503035e4baa45b64edb8c4196e9b510991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
d99a329b91896b8287d0fa879ab9847c

SHA1
d3fff376ee508d1827317ad32fe6fa6c3dcba91e

SHA256
accc302930f27b08cf338ceb981f4b41eafe7df50f26a32a260eb94481329737

SHA512
710a0495ba89084cd7bc27b6184541b252513cd71b03f45107f56524a9e9dc709a0bbeffbdbe41cb1c6ff3227be8ebb7ed02453e61a9a49ed548fb5be04633d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
b5d41cfa4e9b2e98b556e648e36e375a

SHA1
80bd49350f4a0fb68c2afc166b06abb563def332

SHA256
66ff6b239f6115cdd4a0906dc6467b74369779f0ecdacfe571ade3200e500736

SHA512
12416013b6abdf20b8ccd7593cdf6ecc9ce67b7156476514370a694cc57f3d72ce08c4551a226af30dd8d2d7d2fb9c998e57900a6c5f3e39e1a401a4ba842a72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
564637c851531f861d38698e0a65f19d

SHA1
0bfc4b27173f4ff7f87d7707a2b511ced3a949b3

SHA256
d83daee5dffcfe808e26b06816e912948b80cb1c347793ff4f16719ed5ad7bba

SHA512
695cdd1008017d2830b952150949d2fe1a0b07ed0d5b2f775adf3ece1020f6edfa775fdd140e1de715064711439083ceea3b9cbda5b7712dbecd0ad9fa1feff7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
91518f1874a5d026c85e54f8a8fd29dc

SHA1
bf642cf1940fe729a3907cf700858475f35de3b7

SHA256
85df9b778b475798106a05d77bd67278be85022e9fd11cdc418fc78475d3bdbf

SHA512
6c93a879acb00090053208f83be73360df8c1fdf7e800b35a15fdd1a26500d18ffd8c01db5ca29a020813170b00ac528a748269d6dfffaa36c69ae1c9ad4d099

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
18e22062e228043ded7b05d1baccd12b

SHA1
b8c43ab5a9061e40ff930f32bce91b561a87864f

SHA256
aaa9aeeab99e3077ad49e833860878c098f72fafec2934943e144034540a558e

SHA512
9ce33a7262721574de827df3c8c06bd85faebc5bed7e9dcd1670084c27af9daeded21e12c6613ee806efbe57922ea44d287327f83762b76000944b55505a8b03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
fb179d40f80267e302fde23f3bf4612e

SHA1
ebc85d17c3806be05575b6f030d7829ed0f1ce32

SHA256
f9c4e625c46a53f3d54a9d054b3f992dac59ee3c0ab5116e6e09432b4a9b9694

SHA512
0bba7342d8935e1f46f36c43c0084204cce453d57497cad3bf60d14cbaf4059e33a10de1d016028073b7383455f033d6e982c386145c67288174e4451caa2b78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
aeb680718b49bff652f586f97ebabbfd

SHA1
6c8bedb1f03a1b93ddc31613c584ab9f4e58015a

SHA256
66abb3870b25d1c6fd9f61fa10152cbe5d55c1b231ef95b1bb6326e28b47c475

SHA512
e40857ec37f5f2d8f0b194490d151bf89da61250ef60869c477240845b8eab06d589f62866fedd4521cfcffd346776b7a94ccdd3829c15b1029517a259323f54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
8606c130d993dcac419e89da3b7fec90

SHA1
0332259178f2a31215636a7f7e3d70bf66781ab1

SHA256
d4908b3c49d919e82e8e9a5bcae7a7cbd6bf1831e254f3e2b254f7953821bec4

SHA512
e6e708f0f4b001bf9a820efe59cfa3c91dbe2986503bea95afde35b6e1aaa13daae4e541cddecc29891584492dcf23d70ea29740662fd464dfcddcb289916e22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
48dde21ce951f8eed981f98acb9c0f36

SHA1
9055fe1552aee8d1c12d15bec59aff0da39e934d

SHA256
556cc4e5f49f6f9e7ba46521550cbcc8085ca04a7695ee528bd7906043096c7d

SHA512
64db2d943309b06c915f90e2072fd04f185f52a01c5acd5fabf3da035e61fc9952f26453c7d6ef4f022b1260b21033ebd416f04eab52697bfc84d7adf8e3e5a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
98c6309df9576b40137117bd8ee61e0b

SHA1
e84b273030cc788d88fd71163a981b5bbead39e0

SHA256
bc47318091027472a6fed788ad2bd3501f0a2c089fe8b7bc8a2050cec7a07391

SHA512
30f5cff4a12b7689de7486bcfa46aada026462a253843ab68f297a4acbefdcae9d024f58a9c89e01e780181595e4fbad86829c5ac64d2f73aca040df20ab03f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
b4c0c16861c62d738ceb02370d1abaef

SHA1
cd1dd481d245dad05cd60696c4aeb2f13468121d

SHA256
cb37d33e71cdae7332fd6a0391c501d60a44926ec660a0257c88ffe76c29d478

SHA512
1778c350efa71b708b0e77432eb50d4b5955fe518da03d74b325f4fb87dda4547d06296649605b3d1a6ee61bb734d16f2e65e2f7200cce2c3e46727f6d82d828

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8d3ba7e9533824432b6bd7a1f60ea9b5

SHA1
efd0d4d3743ed37ae24164f79a3bb81c4ab6fda0

SHA256
c0a6aba6255233da704274ef4dc8f0fc50128143b3da247be9a8a44a9daabcaa

SHA512
0939b2f7d85a36ab95aa5a2fefd66d802a4a6ebcacd3067330b199827471e77b5b78902182c2a321f8e329c5f1e43d550a1955b7c8b25fd1019e33bd752538a0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
7159489ca8ce4b5b0154a9b0f7562358

SHA1
13d1422a42e0c4c368ee271d091f877ced5d9d8c

SHA256
845ebf8e6ba49d3c96df31bc294a81b9376eb2291b41bf4f67ce4e5530a5276a

SHA512
402400d4f84fcd5c61e01538bbae3e0a5bb31c9145dd125856ccf3ef92c4ca7716d49696ae1ee16243318b86f981a7476355f29854c36587232d9b08ccc1c4d9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
94cdf89037a43cb203a4950f21c33a2d

SHA1
017304559ac3facaac2f4b97a2ecc05d8cc3d484

SHA256
f273d4f9d7df4cf8a1e736df979935ebb27f5c15bcca8e34ca04f864506d3435

SHA512
c96fb90a395f015fae7a2580fbf30f2a04211be6eaacd05c977be6343f1190865e8ef0e3b637f5fa709dc5385153a83b89f6ebf15d7d4bc97249f33817063d28

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f1126aadc22e7ddb92deb9f395311598

SHA1
ca82b190fd1ca3202fa55d73dc301e23adadb173

SHA256
d9e64d2bed8ea72dc824d58b972f5b13b08cddd57aaa77ba44ed766b29aef043

SHA512
470c0ae3c37ab8c3aba06b20384d5012290de225adc2de6484fc811cc75dce1bf967c965b2f599bc5fc9772f231ac4ea3ef52011ce4f9cf7a6ae49421785cb1c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
7a4ddb2fabf6ed88dae2dbda3cd75387

SHA1
1857105131e77ba13166da4b60d7ca14e26a1e68

SHA256
50dfd1ed68bebd78239a411585c1465526592d77cb101516aba4e4a599b12742

SHA512
225e2d283b49993a81d5c2b193d14684d20ea58f88328775688514a9c0a92647bb38400f91e85a3c8cc67bc585dda971f809e3499c31ce26e9e41fb778c61141

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c28bb9ae372e5b176724a0495cc58354

SHA1
7cb219dd2f7f10eb654b88c7b711086ebe8a5104

SHA256
e957b7e27ed2fec4e7bdc2841f43ecbcc341d6d05ec5257698193658588536f2

SHA512
c0ec2d2859e6d8f24e17d055e93edb112aa0dce32289e376bc6165fce796708061520735199be86e7fd165a824341ee9de5486fe509bd21369ecf2f4972884b2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
4e65c4697787a5af36006f8041dda2d7

SHA1
54ec844d314d2fd5c1a3aa32b52a98fef4d7363c

SHA256
e122cd7f5bf2c09f5cc79e2566d9f858dd618b205a6e8a7ab134e8d137669959

SHA512
9c4686ee1a79965d93122069800ba51ce3e6fbe43b9e212a895e8a4ed4f8e7144074e6edbf085d18996f7e7b1ca4ec9108d3d2d7b9320dff6c297c3a1e4bf24b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7036bc37ac0b981ead759a05ab5c4e42

SHA1
d40ae889fb3263eb6f3ddc01374a2fc72a9cfe9f

SHA256
dd5e4f040217462f54088ea76c83c06838a76d5d30fe6900d8a471a34e7be341

SHA512
39aa725b54f21806007602c51637fe51da176a552a3c0f2ac6dfb7dfbb84cba459086f4aa9b7a2db8640b066e4d6b1237d6a43e76364ab281335111637942a75

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
340dfc85967f7f09fda1720ade4cd61b

SHA1
f1ebe975cc6873dfe4d8618488a16456ed9d56d0

SHA256
8fc2b0f04fb152aaf3f50aadaff8f2ad7417aed876cef35ece72f7545f2ca0a3

SHA512
ee99dbc7e41c2d71d8c1e608909ff0dac3f525792f0e92a73806e691c6b37979f86276f294e2b1a23d34fff697d7c769fa412d8133301ac5dd9e10587ce8b016

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
08d555e356702f04b67d6dbd1b605dda

SHA1
4dfbc1393ab7c020bb9e5c194415a2509f52a389

SHA256
ddb5f78a928924a1d7593fa5aa5153064f5877907841376ba6bf772c0ad53169

SHA512
75688aad7e2bc2f022d3b1e764d42d61b4cf5091154924816a8136c8e588e30dd99282ab103cba82e6d0588fce99b314ddd1609a50dc4c8fba89feb2606a47c9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5222646466b48e6927a9255cc06ab890

SHA1
b6aadcd452f843824ae310d11ad73f38ec8d58fc

SHA256
0d500d4b916fbd0b916974701ea8be29bda8e05853c00f2658978b906c80686a

SHA512
3fe9687eeb305eb21a431e35465529e98dd44e84c046d52164cf53df8bed30494ae387caebbe0775e5eec61951624e4e706514e1c5da6378ec2122dd54779267

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8bb0db881217382930372a8fd6a0f811

SHA1
3482c72159e24aa3f6fd1d030b59d653f21f7c02

SHA256
0d93ae94c4deb105933d3c5933f7c8eb441d970667e2659ae85267c956547452

SHA512
9d2dfee6ceaaec61a2451d385729a0ef95405bda8fff53ebc22dc646cf9e2876c29a7641b32333045d9aadd635fe0b65f7290ce6461c44bd07c253390e327de6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
ace9319e00ea316ce8af5fc4474d0fc1

SHA1
754a2b9033adbfdd17b798d95a578aa6771e2524

SHA256
81f7172bbb16208f3b6a890f54952ae23a5d17fe65b7687632e0ad33d12130f6

SHA512
c1913512db330de0de99e8a16d8b56972f10376bc80e17e7aaf98508b357c76afced4115390cec39856dc69d86c9b18c197371de7a93de36f27816d2eb381445

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f057ff35142f72762f5c41eb686940bb

SHA1
9969a2339c454bb0c1261d9c5aa4f7236c9d7aad

SHA256
a3a2f63f42c6b0553e15c8aa6d4f3e85d0ae478dc0ab73666f83d59a21e5de6c

SHA512
0c17fb31ab8a972b8832d731c7a951c7fc37b8b79704488031272738275aabee63a759d0ea00aa2988a598b904e0d34794baf0dbfb2ab01f17bcb6d05e4069c3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
3c1a66cedbe8290697d797c1c5ea4cf1

SHA1
745d67db363fb6c880bfe551b6d8236f473e437b

SHA256
ec3179a9083cb29b07a34ff06bd9fb5c0134e770bf0b8eeb559ca3eabcb1e120

SHA512
d57700b89d310235b1e84c5866f47671d5d43b63714fb4aaf0bdd62e7a585b3a2f68f83a13f8e33f0bf8a875f5afe086d8f6219c37d1c43d0e8505304a44fee1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c97f7d95e1639943001d6dfc3fcc90e2

SHA1
ff11cbf2d50311948876e77a43f6072cb9ed45f1

SHA256
463c0c9706aead0f1481c05dc255c81950bc75af0eb20fb7e10dacde51e95d5a

SHA512
f14a1aab7a59282e126b3470cc7fd55c7b3a70644594156b6fd8bdd96578437a19753f32185095dab8315fd75a6bbffc9cf49be91aa54692be36792f8784e3fe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
b7864c242fb9ebdcf1292807327af7a8

SHA1
37d86cc9ca65ca2e39102ff5d6ac09c1ebdc9800

SHA256
22064b8fa7871d1134d33c87cd9e5b64f0da496b8537700a69501be46f41c955

SHA512
15f635c3953e053567aa8e479138a99fe5b0a9a8f1f28a4504b07d88c43b237b63083871645558c58591464ad954dedc1f4876023398b5347b76a3d10843e267

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
406bdb351c6953d2985e2a381e6adbe1

SHA1
e9f4bf89bcc2cbc3c8ccaee93f2da9f29061a046

SHA256
038ff9de6647996f6a0b6b73a42bbcb3acf1a156045bfacc79bd8b97041050ac

SHA512
d10d8c0b381d01f5000e08cff582003bb56f279ec8771b622f713449a04a64c25772c9dce547f50761cc6dfe0a4291297f4a735c2ee518123a4a83b4fb54b59c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
448d542797e2576c930b093b04740ee5

SHA1
db6ea036d51da76e31419d93846a0804b39360ff

SHA256
a83cc30236c50855180c9f8ef41a3074fb11d8c2d8e83ffce4aac688823c2664

SHA512
975e70b3f00f3cd5676aef08431af4733181f905acbcbce160c284c1075e3de1be0f44bc76638ec579a4279dde8e4283a178d3a538bbd3a412436373a6c990ef

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c80b69d8f780d639dc3418f52e720d0

SHA1
1328f3ab3771c3ee86cae417a58562ef88e1797d

SHA256
fa31d9223db8b1aabdc0e1597bfff5a62f851aff634a7836c1989e45a27745f4

SHA512
a404d2fa8ac0562d7b23554e18891f5c8c644a30167ff61b5842727a6b264a02a8d508ccf97245517f08633a0d09a9dfe1201bf90e1b39cfcd8264dddeb30050

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1fe9d29f27d882964c48814d5db53c7d

SHA1
66cab85ba96e937ad556e9691726579bff405cd8

SHA256
000a9fe3d6f7d2f9d03292e17d2e1822859b074efd5f08d320d43eee0e84a32a

SHA512
90826978369c0e43e8df2d730dd706cdc1b0193fb011e688cd0aeebd4eb8c99ebac6fa61a97ce135f937a06b22ae9bcd51883e96348b0fbec57030f77a1ac675

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
9abaf5b3c575b03a5f64151f218ca0e4

SHA1
5d9af7576f2c9a74721554117eddf5dcd621b73b

SHA256
2f9850e63e9620bbf4a077a4dc28ca90efbc6ad4880baf31e55e8aa17ced7a81

SHA512
b3065619a90b243e14d9d3bfda1f213342f9b2e8e3582b8339d9330e1dfffb1edc7f43b51318f76385935dcbdb082f4ab6795a8f0651631369704766b6250d6a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d326afcbb36608ff62cae3c02fb366d8

SHA1
0138e58b94d25272945d6d1a03de548725893514

SHA256
24193435f3f4cade06f899b6c7c7894139875f0e4c1bc985be3d73914ac9fbb9

SHA512
a0393b45b2185bcf0296dc8a90e19f32813516e3f00b476abfd475590b19f0308922edd6e45dce1bce40b877c8b0d9dfe6e13feb244564d3a0e516d1f0727b24

Download Submit
memory/768-247-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/768-702-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/1348-328-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1348-711-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1556-681-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1556-332-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1556-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1664-295-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1664-191-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1800-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1800-11-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1800-184-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1800-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2688-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2688-704-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3172-701-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3172-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3252-521-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3252-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/3252-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3252-166-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3252-2-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/3604-157-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3604-167-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3672-258-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3672-703-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3732-296-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3732-709-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3960-196-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3960-307-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/4132-104-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4132-130-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4132-129-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4132-112-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4132-113-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4256-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4256-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4256-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4256-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4308-712-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4308-333-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4396-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-32-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4424-155-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4424-152-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4424-142-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4424-143-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4424-149-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4512-660-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4512-230-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4608-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4608-269-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4616-319-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4616-207-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4940-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4940-122-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4940-116-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4940-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4960-710-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4960-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4984-182-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4984-283-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download