111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
Size

1.8MB
MD5

5bf968acc92e55588b504cab5183d3b5
SHA1

84d5f3a182e642fbf856499e1bf327428466a436
SHA256

111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268
SHA512

818aa22f7ef28fef1556b97f2dfa06da71c8ded1aa08f30dfd3aa942338095294631ad5e91d5a53879b97f2fe4967bf97cca8270ba01e46cc524ad24ae1e41c3
SSDEEP

49152:px5SUW/cxUitIGLsF0nb+tJVYleAMz77+WABkQ/qoLEw:pvbjVkjjCAzJKqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3320	alg.exe
408	DiagnosticsHub.StandardCollector.Service.exe
2248	fxssvc.exe
2220	elevation_service.exe
3708	elevation_service.exe
64	maintenanceservice.exe
4920	msdtc.exe
4160	OSE.EXE
4204	PerceptionSimulationService.exe
3728	perfhost.exe
3012	locator.exe
3480	SensorDataService.exe
1748	snmptrap.exe
3536	spectrum.exe
2664	ssh-agent.exe
4732	TieringEngineService.exe
2996	AgentService.exe
2012	vds.exe
2876	vssvc.exe
1012	wbengine.exe
3676	WmiApSrv.exe
4492	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\wbengine.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\System32\vds.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\locator.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\spectrum.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c3161889234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\msiexec.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4297.tmp\goopdateres_ca.dll	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4297.tmp\goopdateres_mr.dll	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4297.tmp\goopdateres_pt-BR.dll	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4297.tmp\psmachine.dll	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4297.tmp\goopdateres_hi.dll	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4297.tmp\goopdateres_ar.dll	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000475688c4ef9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000502f81c4ef9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011aebdc3ef9ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a06f00c4ef9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d372c2c3ef9ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006837c7c3ef9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d4194c4ef9ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a25ad1c5ef9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012df91c4ef9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c48f9c3ef9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe
408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4244	111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
Token: SeAuditPrivilege	2248	fxssvc.exe
Token: SeRestorePrivilege	4732	TieringEngineService.exe
Token: SeManageVolumePrivilege	4732	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2996	AgentService.exe
Token: SeBackupPrivilege	2876	vssvc.exe
Token: SeRestorePrivilege	2876	vssvc.exe
Token: SeAuditPrivilege	2876	vssvc.exe
Token: SeBackupPrivilege	1012	wbengine.exe
Token: SeRestorePrivilege	1012	wbengine.exe
Token: SeSecurityPrivilege	1012	wbengine.exe
Token: 33	4492	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeDebugPrivilege	3320	alg.exe
Token: SeDebugPrivilege	3320	alg.exe
Token: SeDebugPrivilege	3320	alg.exe
Token: SeDebugPrivilege	408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4580	4492	SearchIndexer.exe	112
PID 4492 wrote to memory of 4580	4492	SearchIndexer.exe	112
PID 4492 wrote to memory of 376	4492	SearchIndexer.exe	113
PID 4492 wrote to memory of 376	4492	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe
"C:\Users\Admin\AppData\Local\Temp\111bd1116cba8de1f9337cc6d7feafd49267866f86f0d0032c84337cd4729268.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3620

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3708

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:64

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3536

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d75035e98d424ba321cc47cdfef94a55

SHA1
3b977ae9a71f47bfe087b101708722d648613fe7

SHA256
d098e2650071b5eae154c6c33d8a43781e93643345b2a6849f3e23f4cf58ac07

SHA512
821e16b2ecd4c54857afdb02fb207afd6434f7c418a35052dc4198be1f3375029b28b260b0c0506bb774514eb47c7f58c492ed8ddf7512b85f2f579460ada123

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5384d5d7494fd6a5f6aeb54505ee56d1

SHA1
34067f6fe2612e8322bc53145d9fd076bc3273f8

SHA256
0a6dadeb5a8609c55cfa45db90b5d7786fedd491ed959f69557418ad114e4332

SHA512
9081ff4afa052865b2d2ce2e0f1f3a2a6d947c908daf02036abfbcdb52b5fdaaa19b2ef1ab35f9140ad570ed8d059c26dd3b5482beeba80d469173e738006c43

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
48afe589aa9a914d8afcfd11c8b5c498

SHA1
65c38fa5232703f4161ea2c186a51baf6c501119

SHA256
7eb909d1005e0f5429d46bd3d7408d0e8619f21db23738c523221efd60299279

SHA512
a003cc44ba4fa2c8f7370f74bf4c8761efeea9fa1e82e1b1fdfc581d70e3d69e1e7bd1d6aafed3a1fba702b24cb2a2e1c0c9467031792c84434ecb35841e2858

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
478256a5b13e51b28527b97614c1bd29

SHA1
0bf26cb709bea222f3ea8ce1eb5dd1cf16d8f0f0

SHA256
968fe39f9b21472b7f4dee3f06cb2b59f73f4927b9618460fbd283d92c5eaa9d

SHA512
d1c14f3219754094bf59b1346883f1bd2063a4c8270eb91471f20f25face7590567573070238d0b9f3e1cf02e9fb8ca78c33376634d81c746f94fcf9bf0f7bf4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
94fc5b26c0f4afbe8b1d501f185faeda

SHA1
4d366fcd01337fc8801f276add9668f25d5333cd

SHA256
4baf959e55063a6bc0b5a7b168d9180ca07ca41d7a87fc81dd1cbb5c24255017

SHA512
40d8f4f4e01a5da2ad87498c533c1e62377826e0f3edff779130a8e30e8e584932a85611afe0f1c0dfee7e16024f550db9e89fb418d21dc25f2b2994a262bd62

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d7403d961b5fd6242a3d06743446c24d

SHA1
5a314c73e78a74d67cae414dc14acdddfc6349fc

SHA256
eea6d5ea441e498ba8bc70fa7be07c6c34cd2d3fdeec6fb968c38d8c5bc9ba8e

SHA512
abe0b7b5eda4d42e415f52108c857e330ab4287d24f52b630916fb4a64c664f542a9b4127c27e9d055b72a90a82039be0453a2fecb61dac87cec2b80a101e409

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
db7f828b02a2622fb614e25cc32adf3e

SHA1
487fcbdb6ccdcb0d8b695111d45862618a2618a1

SHA256
438a7dcb3bec4d385c82ea38798b0e32b1b41deca34b2ea1b649ecd5d7bee80b

SHA512
16e00cfb4e2f90383d7a75501d7d37b6d63beabcddad51912b0b04b440725f3fc4cd93448077f28a6790263edcbca8c025ff2960556007451c4b7b63e7f8472f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
44403215670104ec90ea04d05893f295

SHA1
eb0d5d059f110f97e9d19061b882b4320e8f0b4a

SHA256
27d5c6fffca359748fbda151c697b4c902a4c103974d65662b20bea8c5bb8b80

SHA512
069d94548afeacfadf1dd7085d8d1cef4e07f08aa09102a8b82d56406de7a2b62a9f3c467cf291af7c75dd81b7698078c8139ed994396f871b0dfb697f5cd087

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d73617e1874e34cddd4d447780514981

SHA1
e65600f967d39d774ad4cd8e945d328b927fb000

SHA256
1129cb725d54a5ab926ce9e39d5aeeae4dfaa9d054a9be384e6f3f7b1e3f563f

SHA512
a5a432d80d5d14b88049698b119fd1839c49411f969e2a71c57aa3177731473a87e4cdb5accea7ccc39bff55bafb2fba7311804009c9dd7c905073b583276511

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5e41624a2522b6422bbe02a6a70a9203

SHA1
b588a10b0dd6d3ff7c5e57c753efa99aee50688c

SHA256
d0d4385edc873e1fcf83a373b597b936628040e38b3dcf10e09f66e92ee82cad

SHA512
2a05948120da0a58ababd689ef884e9c0c2bf5050490c923f86770c78ba5f45e6edc7578303b57f1890b24d65f60ab1710bff2c54bff2c6a88a2abb753424d9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
96969dbb9b8b44b29cc40ccf7f674a67

SHA1
a57d73fb95a3592006909b72950b123c5362d0ed

SHA256
f39236d03dd5e2dc62548cc0320683b8dfef63caed73641742307105b3804f7a

SHA512
6c31ebc6efb3240305f0cfccd5c933d3ab61fbb3bd719d9411a6a25536937acd23a6ad0acc420f82deae0228736f2829486f4a503f1a988c2e5b50b914ed008a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8df1c62c1b958329484b008957137a92

SHA1
0d82d2012ae4de6405df5839d190e82c659d5333

SHA256
b1402d258bd092e5d3a5b49e338a72135967c9a5599d4cca48aaa6f32945eef8

SHA512
3d701efd3d95cce31d1d1f33de2db74969b7e003f29b4c75afb06c63a6bae4983f169dfddcee1953e386a3cc50f168d95112b65e38802a1ec4b80264dbd1bfa4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5dd33c980dc77801fec8f51817406c85

SHA1
ce931390718f8ce3561237ab232b8914d829d0bd

SHA256
c8f936bc2271c0f55d55d9a35a7054f0960e406168b6f2aa61fa3aa683f2fb1b

SHA512
6440f9994b0a70e36d83c7eb340608524ad309fd2d95f5619b230931574f8d684d8d07321cb4c85bdcc7fadf462d8ae4355b5829cc3e0eaf8abe7e8798c20a99

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
c9734c6114e79f137c7a2487cfccd089

SHA1
87a685e487f9b150ef243d45769a3793aebdf4b8

SHA256
f5f166d06fd8974272cdda8a7f9a783e3631252108985261f2ca4663a06db607

SHA512
1aa7eccb76ec674341e204918a8b33859ebdc6a3521227e43a3629fe54d626b75263de36c1250c8c547cc3120bb0c7dab318d48ce9bd920c6a7eb3bc15f427ac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5d6c7f89389ea9560cf499e82193ce44

SHA1
04ea10b1b9db8109347005494ec39f4f10306b5b

SHA256
8547f0818eb3f6c3fc701ba09328190ccfcbf8addb269fe37845410eb9385d63

SHA512
3f78895fa27361ec4838dba9c8c7ea850f278d20b6d565d9c919349dea13bdde405dd77e79633e9dc8a14fce31de90daa26f8e04be25c19c73a21205ed7f522a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
3c62ef5276928788c4c47379ae910c57

SHA1
5b475d8b7c4b588b5a5fb5b40d2763aed76988e8

SHA256
9589efecabec069b0a28c9bcb98a98ebb084d593bc0749c817424224305cf9e8

SHA512
5a96df691ed78919a2d03cc79e7fe1957c91bf82d0c93dab645a29b3e40774c1d6a42359630ebb776558bb01937bf37bce893714f42962685cd1eb8ac4c3876a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d6ae7c3387ee2e843b042c777f59bb52

SHA1
7b2a810ed34a0d066721ced64c503651c6ea9dbe

SHA256
21b3a8217eecdfd7594c3c140431cc164bcb6a14f8a58e76702b3913a7bb86d4

SHA512
f3f8c5f064a11775a6dff1da780f3a8a522840e992ab6aa06459e69e033c6734fc88c902d3b2f57ab00554abafda8dc4435ab5c613d71af5848a67cfedc55f06

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
26c09a0a6d957ac8388d79e696185763

SHA1
f3c159196024617f94df86039e3fc8d70cfe4535

SHA256
76e80dd094826ea22f177bfb956337a4929eaf2d2d1f682b320c5d4500f88546

SHA512
692d84f134514d100ce6d904976922b4cbc2c7a2ae7e4fb4f5bd12c47f98c3bce282e56834b422c9c6ad4c3f05a94ca3f1839e2b6f696e0b473ab9b160e46215

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
671a1d38f4dd18a415c1de19f821d633

SHA1
931bdbc255f341e3c1095e4402c386bf7c898033

SHA256
94cb69207acf17d8bd4bd676d6ac676ccbe0ed3c7b03b8e5738a1221b01fb7bb

SHA512
754a0d062e6c7d5c7228df89413c218e905ed2c3c14adc7d606f48849cbf5cc3040b44e973d2ae9e52dc7849b14a30c9c870895327a7bdd16b77f9875649c816

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6e6ecda2d27b27af314fefccdd77d4fe

SHA1
f997f2663f528b32bcf0f270e5440b035fb09a5a

SHA256
dfb06aee43335d2f8eaeb879bbb1614ab8eff57f35143521a36c4dff4ea703f5

SHA512
811430ea4dc81fd76ffd8008aae5b9f4405ac846b32e202cbde914220d4ea8228961f3de700de900c28074295d80cd8d7a6ce35792248d3e3ba52301909823fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5c794420ea69a9984e5227b127af18dc

SHA1
58112d0933812e5d023790ae212111cb0789212d

SHA256
5bc105b24428e51931044fec3ebc27181b032c3738805ec899f5552b4a952826

SHA512
750badccdd49283a5651c9882b72882114cf7940a27c5b634520987735ece659cb9b26b3e62595b3391b6de6ba989bd57bdeb56af233c6f7acd7a49a75017077

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
20ece3768001df4274ad7d5a1d75d3dc

SHA1
b8ce0dc7d2fa4a3027f79ff8d92dcaf53499daeb

SHA256
f9793c324fe9930693b9cfc84bbcd0aa5c68c67c94eba3f1e3deb0e797fe79b0

SHA512
1c75b9081cfebbca7444c25d194f2a72102832aa2f485f384b78588e3ca362d5b21d8691f0017f85700882de99f0dafd41fd64b6a259471a47b3bdadb8add7ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2d0d60ef4e313fd27797778b35bed2d9

SHA1
223a058dc6739b71216ebb2cfd6bb58d49b93ca7

SHA256
d75a98751a965a414505291a644fe00f0a7abd942b4495fb1a78875f95471206

SHA512
312651a5db3b84d1e34c5b270c80d06ecd7da1f8de97255f028aa4ce52ba2e3f5a09be2f10df8a0fd39bb4e8316078410af50a823a03321145309531144d9d5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ef3372d4b605bed5a15dcaf96c057eb8

SHA1
5cc9e04bcf96cf0d6be1577b1afb6fe08a9da789

SHA256
f17d47d4dbb5368b4920bbdd9e5dd61c74247b7fc9b812bb169c15ba5a69f854

SHA512
f950b2e90a4f07744a0714dd9832837905a23790b9fc7a277ae7c9c69c2e7cc9998868895a15008ad72cf88e8971f470c4244ddaec601bd7b450aaec60fecff6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c6b50621ec1516e8b18c55db8f68b691

SHA1
a5bbb87b465db85e8829c577a004f3c156a822c6

SHA256
5cd333f2b3e5ea2d04d019f3f4bd04e573e3d7294669421e91a3bd2a40b6b013

SHA512
9ebdd93e65d311e8853d2347077a6be1e40d493bf8425ff9e5a9cd418a1232cf1358c1be9dfab6c9f1cb7a9f31ce731d8b75941fd3837f7ff8c7359ecc750e88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
bfefed9290136959aad6b337202a0ec7

SHA1
48579dd54de334e06a936da03346d7317c08c260

SHA256
aece256f3fc2221559cf7db777a6c77edf7fab3a3271eecc3a2ab7dfafca5509

SHA512
e252d3196a318419cebb66404f98a0dd074241b05c308ce9ece18699853850aa09478afe9162080bfc5c90bd7048e570511957166af64b94d0219e37c6e99af4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5cd8c47fae244667047edd019738b385

SHA1
05a6e56cac2d3ee8ad18de0aba0e92f65b580524

SHA256
74fd2f99a02f2a2fb7419ebb720b47883a24823fc1aeeda95d23774bb42eee10

SHA512
4214e28e10c62fc5dcd139fdc1ea6047089bbf18ad0d40954a32a827c2255077276b5cc1cabf4429e6e1b2287e04b17bd19c6736242776f6589ae684c6f61470

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
223f247a6a5ed6f963660d68f3271e53

SHA1
5f073d27ce35d24c7970a58989a9326d72c6b1b5

SHA256
be2984460bd6de2f0fd30b0aa0460dff7e44c297504b7c174234244a98c3158c

SHA512
dfda27a39c9c42a1179f0ee5da43376a23e4904393e96ddb2ca7af62ec0b41366f455b757d1e262dd0b7fee73e4520b4a744ceec7bf7087c08378ab6f12532d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9e88fc17acdb84f745c1967696909b07

SHA1
c33b5e94ea4ca7583edea4bb7676cdf5e13efb62

SHA256
a7b33348cafe361e10b6e0dfa37fd39c10bee6379df0fd4160d8284d550d4238

SHA512
f7afd6f038281fae1da84af80ba75d7a6abe18727d364da3032a70728cd04c5fa3af5915f95ffb3aa2e9df78c4ad1b76ec79365c209871e738358948d4fded68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
67e1ac55016f21ca8ad674796d04db04

SHA1
39fab8fb74e895f61e8dcb19a155077199ba341c

SHA256
ab038cce17654db979aa7f233ec80a000742893f315262c8cd95381b78f1b740

SHA512
e93aaba8f0594cb2b8072510ff83f8ced33f205e18ee43aa1f19603f231563651feb05284fd64555aae0bb92797f7c463ec9e5a21402ab7dcfc04adcab283c75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
9a99562fbd37796f6b17b820bbad1be5

SHA1
aadcc2cd6f56411b0fbf7f691cba3cc9c1a2c0f6

SHA256
218f04fad5333fc09654f4d8e5d58e0860277a63f7f2070a1c051615640be904

SHA512
0a2ce8641ab836ba7f49d963e74bdcfc0206286488fcecd1fce36254fdd4b9eafad6533e0ecf42a7478039bd2f2bb8c6cf5d37cddc0cf13c3853444efbd3284a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
32e94a36fdf8514bf864800b45f21987

SHA1
810f1025c325f0ce94017fc2685cfdcb6bd3dd85

SHA256
0a22122cbedd687d88519e55164d108ebdef8383b98e29dfcdcdf26656455ef7

SHA512
dae29bbd79fc8b2f583ad3f7c4cbfaa99dc2deb81a995df5c703f826f9dec1b62dc60630c5d20a1d67029a9811d931b30ede5c048bd5da1884b48fd7f5ef57a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f33608e3cf9805b219e444c40b0ab4d1

SHA1
24036d271f66110666f518f8cad1080451b98b02

SHA256
344faaeecee6614e2cc0c4466e41607d47cefe627bb271227ece640c1eded697

SHA512
ac092a44eb2629d3940084aa16f4f50ac3c4fb06eda62b3d7df8b2bf553b85d154097b56796b41269eb95e57576b2d432e4e7e57ea4bba01261c6d200dc48d85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
becaae9ed422d968c98834c97d165d68

SHA1
ee898f557fca854ded175b2fd48e4d166766cc58

SHA256
688a0ac3a6ae2c357cfd26bc617624c04b9b78aecbe2d73daddfccb65af8be63

SHA512
87690d8590c7025af1cdfaa39361ea841675b4187a3b26b0730fb016b0a4fb5c0160e74dd92ec91286e8ffa01ffe3f6791dff52d6e0c1ae32eb10e4ea11d534a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d931c1c633e72b56cc9847b511f1055d

SHA1
795fabae2a677d1ea1df58e940bb554d34c456a6

SHA256
46b8d6c7b4d0a7505de8001968a929e1c71e523bc7e73ee3b148d773c6e19b91

SHA512
6dd4a28872f0467a09f390f1df8d18c4c1bcf2d763506a59b5090518d5abf3c8de5905ea3f0640194a82d21893f2b7ef030b11e160587d7a5f635c06ab1b9883

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
729d9fae910538ae96b137808fb6b816

SHA1
cb406ec5df870870f6e5dddf8c7f55385cc14181

SHA256
1f1d8bddeae1d534003a6c347bb6b5cc0155dc6cf94065a27407af65db156ebc

SHA512
b2fbe68983caa5034def4779f94d6f3532dcf128067ce198341666bcd583c34d197dddf7e1677539254a2821c7a7feb95194071099d390a950dbe75d832f065e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
01225b5ab464d4c25f7885b0a9ed4dee

SHA1
070625a86d1ccb970d0082ecf0fce7c16536f844

SHA256
cc5067f0755643264b9f36a38f435a5a74e8aa00919d46163e28cbb1492f2128

SHA512
12df8e8023de00fb8b482f07f6e0d2c87f389082cc942bb5cf5767f92c069ff548ef77e14e94f0cdaddae77ba6b7fa79a0d3ee0911123a36338fea9f18cea859

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fc2d9b80b70b887a10f7fcd331a67d8e

SHA1
9e533f03bca81d4a07b49f0d8fd3355b3451cac2

SHA256
073b7a17fab5ca5a82ca7a7726ee2d01d041a1044e22658d1eee9f856fd18f74

SHA512
c49005514b485db1600252edbd8b6554455016c5d10c796dd074d91201da76b16006ec017583a96016e85d4cd938132a061d212267d176f8c4647bb0b02c337c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
265e997d677af631ff17c5711d86041c

SHA1
be092d3eccba2c3ab3bbcfde0ea51554f4f588cf

SHA256
1f90c67bf61bc758cd22daad413033e8757457ae4f1cc83b4661a759acf2e84d

SHA512
ce1109176a2724fa3dbe683d494ae5d94793a10a418aea482dd2a82083053be82ddb6a6e73d5604aa26ba262c02ebe0123135e8e8b72af6238bb26941f1d036c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cf930d122be78a9e5ecf9315153e4c75

SHA1
157e3627ca1f472d3475b827c51153e4c87b69e1

SHA256
8c839b4749bf90267bcb2a04939a082e91c6a0a8c99f7e2b17949a42b6986226

SHA512
345dcb125a81acf4f4e92414c98715df69cee563a3c4857af9912ab15b1fd44a0421d11bf207249e166b1ded93d83cbabdb50169daeabbade94e2bf75779a7f1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
170312f45d1132fa9a41187692cc0216

SHA1
3f3bf2ba7f5170336f4520fe48f815c306e9105a

SHA256
914dd94a667ec2d5f1f625986ff3ebf33b05bfba493ed7312180a6b28367de3a

SHA512
ceb2d46116ee532397eddb5b0da6b1a6877b202782769353bbe85d1e6c464f9fd6e0421c0419b630a9bd1a7d4a61e1ddbbe0847ec5b9349516f58d62a2bf233c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
5a9bf1be9568a2b8c240d5d5ed3d365d

SHA1
ca5ea3645529c8cbb487439bea65fda03fd16c30

SHA256
41de67e8aecd8230e728a2effdab7db9cf0e261e119610fc2f72fd471009e3db

SHA512
67603247e97c446482589d2c4cb703afda903ee9f25e910d8fadaaddc4ee0a24cc8171633ac6d0f6a8100d7f542a769726d59bcddc02394dc8297a6501031fcd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f0da753c684afd829f272b7892289d25

SHA1
aacc6d4c2d70898de8131ec4cc1ed4552770d3f0

SHA256
62d03a1bddc6f706cb0d7be8351d25e850174426087f2ae5966593c4c609d697

SHA512
8c48053f033bd8bb6329b914f11e89a63360e45df5541b9632a20472da0d2137023e0ebfdf4c9dedaffd0c055fd08eabbd4a0825f0e31b33aa66e7942bb8011e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c735d3271b6dbf40d1aed67576b4966c

SHA1
2f622c1852553f5030bb5eab434293fef7647d19

SHA256
dd677fbb9ef948f1d7e10aaffd7bda3dd38e2e4998f571f7d1fcb44d6dda7bb7

SHA512
a660cad4231638752396f9838eb5b80ad007e6992356e1da079de88fccebec6ee22e61ea019ddefb8e7a796ab9bc440fcadb319c5b5e4766ce4578652fd1c76b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
56d57e5c044e1524b721abf6ae6549b5

SHA1
64b3e3f7253aab9252331c2fd0da82765435ddd0

SHA256
9f63c8bc55f7f21ef24990ceab0c99d77aa431be141007642c4518d0df4a2b87

SHA512
67aa0215b9c6363ad97333d617487defdb723da997e04cae2430cc40a817b6a962359a268d5a7338b739ff225e61e2219a5c38f95efd11b52dced3da745fa8a1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
9fbe35c27b5e331fbfd7f028eb26c3e9

SHA1
775f77c6836fe9eb13a39678479e9b315d4ddbce

SHA256
a13a3759824bbb133f3846d65e1159bdb04378e937227137ee5a69e00d1e6b71

SHA512
0eb58c1a0573d2de3526833c6555bd7e776bfcec4199a9bd837639b25a812ec957613bbf54ad8de66ffcea3cb641830d612802c919e62dcaec9e6e884f622a20

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b195bc27f2b624457c33a9483769fcab

SHA1
3c09e58c57fb7b34901f17ba38e846ae1ee66950

SHA256
23fd649114580a0a5c53531766792f747ce8ca9913ddf9d26f71e030e19c0bc1

SHA512
6d23b0b5462a06539e676f8a93bf6865b9ce0965898f4b6fbd7ba4e10dcb7f7112411356669707652fc5b7804b8053b2cff3eef6a4b32d6828a79d2c0dd9f111

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
583376f6eb7d7d9a9cf19589b734efb2

SHA1
03aafd625137c4b85bff1ddb80b6c634f9dff4b9

SHA256
af4002b06374c775d792c4e66a14fe8f65de6f2f776e650f93257740154f5b27

SHA512
7e8cdf0e0e1aed9e2f5d1a5010ab490c9368340f6d7e1321d096bedb5381a36d7f448cea91180916675056ae5a4143d9a6d53043700926f7b10115ec06a11982

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b605654808d4f1293063612f6f7730e3

SHA1
96fdb18d537564991f796e7aeea8c6689230c333

SHA256
65c562b3551c7de863c6b490f472a4424e3b2c1bc76e0c51f2e9ce9dcc1d15a8

SHA512
e67b7d013effde70b520d060324db953adaf84b39de65234d1ea121e0704925a0b035ee8f13e331f0a7568765eec5789815de45f9930541759affd0fd5aeca5d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b812f17620466817c14aa5b76e71f96c

SHA1
d0796b61e8d5255f1cf4f4aa0151648cf55eeaa2

SHA256
912e37c7a86d3612012187155b93a888c8f6cb0da1c17b6c437d09446d87a760

SHA512
2941b3b85b3caa9727ba79005c305290c640c6b272c14b79c263b5901acc68e680920ef62ae8a4dbc7b44e57c3dd9098b81634b7217aa70edbb9f546a5587573

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6a7b59db36e9eb7b79ecec95d18c41cc

SHA1
1b6d9d63bd616b86577ac1e793e402367326aef8

SHA256
08573969d3bc917b05ff8c97a55f7d114d54c1d2a98bf0fbc39608af5cd32be2

SHA512
ba0a238a1e65a7479ffd64420f31c662097b551484c26e7e6f942cbfaa2d81f08f0f8fa29fb6b0600a0997b2d947a1f69c6376a5cad868d1d3a5797a36701c53

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
e8132944d16cb731cd8a3c2e762f002a

SHA1
10bdd482c5a055057774a320df59fe3e2469d858

SHA256
f325ff3e90d39d47a49719ce5f93bfc878eb14202ac771646e6f86bc61a29368

SHA512
105248219641534aa62c5baefeba705eaf2165e1124af9350bcf1c2e5a8ed24ce87678d74ce450fc1bbee4f5a71e46784097826458b08dddfd2e9f91b422aabe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b4f1faa86f390213b25fffa54c47c3f4

SHA1
8f932bca39cef7df1d54198bcd7b5c8ce0d5e3fb

SHA256
b20ae00b869c5e7da761f40caf6923cbef99bb4f016974336c70b3514743239b

SHA512
b64eacb9dfc8e02a09b47ed3b104a2a5785c5833d1c61a6dd3ed3b49620356b89b387f16f6dab83fb9ace7fe1d4161c32328d704bdeb995c23f19c573a9f6a7e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a2303717ebdf8598187832d4481b5f96

SHA1
d5b8e1a3072eeec430885f5143057d5fcd2efda2

SHA256
2e0944b066fbe39a550a89e854e5e78f3db00e283e65f2a57325d6576dc2b732

SHA512
80ada3de22ded902b281193b7b577c99c92375dca6846af680f8a9c6b5f3ae9554f24567bf22345df40a65a6c23b932645ae1351171a99b1491f5b4fea3e8ee2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ee318ae2a49acf3340092e95c353f45a

SHA1
d24b89a7a526e4c0075bbfe481bf9c3dedf77335

SHA256
614959b3f095fe9fff4db759d3cc5aa62669fc7c0ff228c129b3e94102c0d867

SHA512
8520e5db9094b40b8407ae0a298a6aab2ad1dd5435b96b3ffc618653d1495872c3a45335674ad330ab539c26ae2184548b89a2a618252c8e7241033683c785cf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6412ec748f0fd1fa3610ac7293ee54ac

SHA1
b1571d649076e380329f08540b6abe2e8a8fb16e

SHA256
082e391cf80410d4e83d080dc74ec2c4a0bb4efd5481bf05420711c55e6e1ed0

SHA512
1632a7aa9ebc4fe8848953c17302b28b67666a8a783251ddcae5dc5009d4f7973a8c629ecb6a9a1e8a67327ff24333779b3c460756c19ce72ec8da4a26a05228

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6ad4d1d13ae0ea1edee7cfb2f51a08d0

SHA1
68e34b644e2fa747b3e02a186231346e9588ab98

SHA256
6edee99830ede6cd213f67e442b6fc055e8db83831d2c7c5d91d8dcbf5db6565

SHA512
69c2267f08cb20b72a1f2c698609bcd3d765e1c7c63503c13eb4f43e4464f4a6005d1cc27136adfdd6767c170a864e6d35eba9515d0bfd6814a208dd4ffb1adb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
025f626168bbb658b2f91d1e947c9ead

SHA1
5614ae8ab6a184c8ece084d90287ab96a740a8d8

SHA256
db1bb6e7da48b1fbc6c33470c55cf9e039288a5ba4f389f05cec620330369dfa

SHA512
9e7038922a168e476d48f22020459fc9a62c4a0028b647367acd0bf6d42ed7ad680dab486236842590e91db8ef3d089e7a281092a66875816d01a4b97036aa91

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
0841c905cc72c3872ce2122ed3eb41c8

SHA1
f0564bc32c30610a58d3c4b1beb4b8e9faca7cd2

SHA256
b4fb1ec4c02c7ffcc80ac94f5fcfb8fa7604176d2c9cf1d292eece0efadccd33

SHA512
aed404f321afcad5e9240ce5defd7f737ac7edf5a06bf2522fe4cc9928a75e985e3ff9f419c2f048f01b1c60387de54a6ffdbed248b2760383f0cd6ca6e17d82

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
38d60da8eb1204e9ecedad73daf7f9e2

SHA1
07e03bc679311fe2b1667aef9f7676d7ee207d30

SHA256
0785700d0e1fceba493010a22743235429e8d608b472bf94fbfc936e234b94fa

SHA512
92b52f579775275a62d37f8602127099dfe20eca8d2a8a22d81584ed1dd0bf8078b6bb6bacef5480fea142c0518a3e0bcc0350d8fc9991817e6304ceac27143a

Download Submit
memory/64-152-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/64-154-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/64-141-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/64-147-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/64-149-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/408-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/408-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/408-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1012-314-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1012-797-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1748-733-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1748-228-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2012-294-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2012-792-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2220-122-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2220-116-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2220-247-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2220-124-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2248-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2248-87-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2248-93-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2248-126-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2248-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2664-790-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2664-261-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2876-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2876-793-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2996-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2996-275-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3012-325-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3012-213-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3320-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3320-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3320-204-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3320-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3480-766-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3536-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3536-788-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3676-326-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-798-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3708-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3708-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3708-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3708-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3728-313-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3728-194-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4160-169-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4160-289-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4204-301-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4204-191-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4244-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4244-6-0x0000000002350000-0x00000000023B6000-memory.dmp

Filesize
408KB

Download
memory/4244-1-0x0000000002350000-0x00000000023B6000-memory.dmp

Filesize
408KB

Download
memory/4244-168-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4244-547-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4244-8-0x0000000002350000-0x00000000023B6000-memory.dmp

Filesize
408KB

Download
memory/4492-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4492-799-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4732-791-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4732-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4920-164-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4920-156-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download