21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
Size

1.8MB
MD5

ab23fbdf86697075822f09655cbd981a
SHA1

265d9a2915cabce5b43f95623599c53275b81642
SHA256

21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea
SHA512

0d9647f9dd552f8fcd8874fc5c921e327f2e57f577259061f5e95da1feff644e5d7fc4cdb57ca414998c426b09f045230dd690013dd70f70028888c9186ffbf5
SSDEEP

49152:Zx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAvgDUYmvFur31yAipQCtXxc0Ha:ZvbjVkjjCAzJNU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3252	alg.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
1476	fxssvc.exe
1784	elevation_service.exe
4028	elevation_service.exe
1224	maintenanceservice.exe
1460	msdtc.exe
2412	OSE.EXE
4992	PerceptionSimulationService.exe
4596	perfhost.exe
1028	locator.exe
3096	SensorDataService.exe
4340	snmptrap.exe
1776	spectrum.exe
4072	ssh-agent.exe
4628	TieringEngineService.exe
3716	AgentService.exe
2336	vds.exe
3204	vssvc.exe
2468	wbengine.exe
3708	WmiApSrv.exe
2476	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\spectrum.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\vssvc.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\wbengine.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\AgentService.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bdb814e5234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\locator.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\system32\dllhost.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\System32\msdtc.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\System32\vds.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_lv.dll	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleUpdateBroker.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_es-419.dll	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_sr.dll	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleCrashHandler64.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_uk.dll	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_tr.dll	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleUpdateComRegisterShell64.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_cs.dll	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_zh-TW.dll	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000090bfd9c199bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a67c509d199bda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011cf019d199bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093f6089d199bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002995e79c199bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003175649c199bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000852e429d199bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032572a9d199bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009959ec9c199bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d9c4c9c199bda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
3752	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2312	21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
Token: SeAuditPrivilege	1476	fxssvc.exe
Token: SeRestorePrivilege	4628	TieringEngineService.exe
Token: SeManageVolumePrivilege	4628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3716	AgentService.exe
Token: SeBackupPrivilege	3204	vssvc.exe
Token: SeRestorePrivilege	3204	vssvc.exe
Token: SeAuditPrivilege	3204	vssvc.exe
Token: SeBackupPrivilege	2468	wbengine.exe
Token: SeRestorePrivilege	2468	wbengine.exe
Token: SeSecurityPrivilege	2468	wbengine.exe
Token: 33	2476	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeDebugPrivilege	3252	alg.exe
Token: SeDebugPrivilege	3252	alg.exe
Token: SeDebugPrivilege	3252	alg.exe
Token: SeDebugPrivilege	3752	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 3444	2476	SearchIndexer.exe	111
PID 2476 wrote to memory of 3444	2476	SearchIndexer.exe	111
PID 2476 wrote to memory of 4720	2476	SearchIndexer.exe	112
PID 2476 wrote to memory of 4720	2476	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe
"C:\Users\Admin\AppData\Local\Temp\21674891397c7f960de6c9aa037edaa46b2bc8cd3c773eb462251649a83e5fea.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3096

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3444
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bc3cd3ffb08abe9af6e17bc6363f6d07

SHA1
9616791ba013234dca5f4a6bfcfd4d626135a8c3

SHA256
6692150a5809f3edc0622ddc3cf8a902c018c103dabfb9d2656b5251ed3848e0

SHA512
5a00d0a0d063f24281c0187ab81e968c298d5b99fc48fbcf13ba05410cbc0c1457c5276dcd30c6ee5b7f4152dfccde28f8d12de47779b28b3938de2d5382a779

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
3094e2ee7a4d5a3a304a08f57da4be43

SHA1
3f06a5f1880babf4e03c497aeeb84b30d7b5f64d

SHA256
b5be68bec2b6de02b027a1bf6da7ba68cc1996ae9861d3e11cb3cd0a1a88829b

SHA512
4ccd50cdee3321fe6ab745350bc8c38cdfacb732fbd210230e19663b72b6d6e31758df9b1dca96322e111cc74e5611d41d89dd3992caf088497435735f832a6c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8d49400d8caa58672e84eb4f84ccfa7f

SHA1
31eb28427f08fc6270af5b3f554628b2d32e50c2

SHA256
cd35f3037f00c0621d675578286ff6ca633cd4a7761de3f94db5a1f8c97bbc81

SHA512
a04a3cfefd7689a3c99fa77cca26b6e7356ad2cf1b6d1a6b2e7aa26d9aca89c4c7368a503ac89549ddcdbed02c719a221aea7b7b756b64785424d177ecff70e3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af5fb843faa0feb471a351c78f50915b

SHA1
f093c5cdc6e049aa6c9d3b68c844c3d251e84df5

SHA256
c3a8a5af7476e55fdc4cefc7dbde3496cbf3a0573a72505e5096764a9ae6731a

SHA512
a0f08f570abbc63d0c1c1c1b474772bb80144c2d460840df485efbadd970997d2211095b9d8491060521ea8e91f7996075ea77dd93120d7acc64268dca9f5f36

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b9d28e31dab91a962ef7e0588dade226

SHA1
396727cfcffe6d1f18a1a3e805e9821fd1daf0da

SHA256
06f5340602a0eb38b59cab4b8766edd373543c8b45ee06a0ba53c098ab1f5249

SHA512
a3b536a84192330af5a99959e4b235a5539470f61c4dab38199f1269733e579d8a438e8b1bdf17ee6b21a0440d697950c888d9c48655aaf24278b334e4b3b183

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2919223fb5cdab52bd589759c3782e40

SHA1
aa3ef4435c9f238747578519c29e17db6146fa8c

SHA256
63099bd85dcfad38c10c784ed49bbfe742ae3e750f55406c2a9f431b035a23f6

SHA512
a6e7329b60dd6db2b68128bc4e12dd943de9c76631bffcc7935448152ae1dbcbf6923e97c959af4d2928bf8bea58e8d6a7fcce579e2267a66119aa6464633c59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6a37e0e8e4b3f076b16c2c03301bb730

SHA1
e7d76a5412cb992031db8b8863a295f9067b934a

SHA256
957634f9d69addebc80745e8b5a99032180e5db6a2486c932f3e5220ec8757d8

SHA512
76b320b35968729d82e91bd5d993a2e1fbca5519074ec23a9584cf6700e75d9e429a4ac0d7b6c2fc72b220e6f846f8a8fe71656aa1ad7c8072a940198eec3329

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
42677bc490fbd8c63d2da51d4b4b152e

SHA1
bf280379af95b278b3a81a3ef32bb3b39b8b9f35

SHA256
47a82a7685e9343b375010912e729531c41e5b89346123a0a82cf39a4de0951a

SHA512
e19be06905f36d61506a35714e377f9be9cc0d6430667cb30c08a2883d6d1969d3adef36e9768a020f9dc967aca3b90114fbf2ffd0d1d1bc5cdedc678d37427d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7e1ae711b6bfeacce34495e84dadf82b

SHA1
0af6556d6549e7e6dc9da1f0ecf39cef162b5345

SHA256
4dbf846a1ed18ea41b5d4925821e080426fa2a1382fb57882755b9c338639a36

SHA512
b5154c7ef9a9f827d4c636b4cde8c2d38ea515ac6573b8750ece7fc49f70a8bbd1f4961007ccac8e87dccd371e7ccb346b8d918a2687091951874dffd26310a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8dde0999d407f99085d9630e90a06125

SHA1
5499fb121a1cf2eccbe3eeb8cde11a72b8fcccf7

SHA256
bee4930c6233e2e1569ef1a41d90e5135139f2e33f37d6802d8cc120ddca6f7a

SHA512
2c7e2c05f2f21c7c4ae148e463251ea8bcaa60b1885ee7f5c42e8c9cf94a1fc5a736adfa8c3301023c0a80526a9a78d69aeec8222990d741aca0ba0c557ba86d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
21a1a53453b849d2f0a30ffb9028a8fb

SHA1
f2550de665794ed83d24cb61cf4444c9dab7a3d9

SHA256
6538d8fd2f225ecc5d16bf3e3893c0a36ca4283f1abf654eb976cf4f2c8c3e29

SHA512
5a2b1a19a1aefeb8b03e412fbb84f259d43623f765a044158b062e9042f4b8e230c5d1d794060272afe135bf2ffceb76fdf85031875227b766fe4edeb95f972c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
388e33a04af254ac7ba395c7bd544c3a

SHA1
aa6ee73ee3df03c7593a58d361ffb39c51c0b5a5

SHA256
79be06325340bed82b0d85008a9d9aae47b4911f54d98c87470c558202bee471

SHA512
10d043a2c7399e26f50b7db32e9a110c8b188126db5c543f525dd3628e63629fb634f8054d59e40d71c99f0fbf7d6d4bf8fd45cc50b2c39aa8f779aa67efa43f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c1241a34ecd7095c70920ad23e100c05

SHA1
a0e9a26b73110ed072f12e88c42ad6340f490a14

SHA256
40d8cbd3e01b78d2b4b268dd7b2bdf148e5018852ad18a670c42818fdad54717

SHA512
dd4a0957215a683d76a0e7d73fd06526c251f279a170ecc16cf07b2a9120aac04d1b5913825993f33dfcf1ae4bac331bc078054fb64b56c013bc5982e6cca324

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4538fccfdca53a34b961a8b281280d69

SHA1
ce76d8f11fd17f5d69db84d49a528b7fc3ec8e65

SHA256
89fd1c9135e18c476f4b4e2e8834c81782d7c96ef28e6ef3231a976807d9f95d

SHA512
eee54a487e548750716e328b5c97ef8c71cac0474f2157f67b147eb918774828d107823649abd681a1c6cef57deb399b52725f90a303452f770eb6b66b0b97c8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f694eb7e883436977b58e0b1ba64033a

SHA1
a94949605d4790af1ac5874f79b6b977c0f52717

SHA256
eff046be4210ee9c3f1881e03627be2a1eb66525c9d78bb013335c53185f6145

SHA512
73781d67c703155c04dd2cb6bc9bcfcf83556e7e33701fb0a6c4f981ab93c00eb34d303d92e4465a149ae43a0371f43dbdea7d118fe81027f48f7e9d3dc4d3aa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
1b334601d6cc50003957a1dd5519e260

SHA1
40ba848b9baafbb4cf9c66ff4dc97db455e242e8

SHA256
7789f275ed76ea7e37f4bbcbd3dd9b8f20fbed39e74d6aecae8198614cc425e2

SHA512
99e14a17ec3b9aa3f36ae56427d8ecf5dd2f39502d9dac49a83d96b993bc745f3a3a75ede7816b6650c085399ba8be034884648e46497b6e28b809675723d96a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
dc04d3805721c38f8c2e2c674737ca15

SHA1
a8dfc44ff2cf9e67a1bca2a1ffc14299765f9366

SHA256
e72ae9772dbb51fd3c8bfeb26ac57a874ef89a26807f9e7f9b9dd01a172986d1

SHA512
404b14e8419a9acd4862eb14719cb6de37cfea760ee7591c3015ef6792d214dc2977a35a6ecf4bf1bea8aa9a85b91f3f2912b4f7780d24eab26948c698c475d5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
c9467561bdc7f86f10f2613c3ea68cf5

SHA1
17adc85d260bb51fe86916f0e0adcf43793c7595

SHA256
45e93478f6cabbf9672355b02d212de37cf2b0b6cbe4fe4c9ac3ba43a41b59f4

SHA512
2cca46b562fa9cfc10316fba775c4e8eb05326e4453f6758e5ca52cb83266fc655fd001e393ec90cb66ba46c8e32556a0f1300be125015de568eb593ab683a95

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
cd1a0a2456679273bec2b8694281cd74

SHA1
03045628846298f16bf35a321c1a1fea2ea20204

SHA256
134e6f82d4c0000501b06c11b26af08e99e6241789f6b168fd16f70ba0bb53d3

SHA512
eea4d6d984e4202fbeeccc0297931255ecfabe760524fbe46b3755ea17ec6be221313b590b1e7e15b8247af8caa282c11237c92718b47cd36de9d16eb8bc5b34

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f032ddb67364450dd526eb22f483e94a

SHA1
723b71ed0e60180266875e3e7e83439ba02a1580

SHA256
8fdfd18bc450fc79cad760736982c147e1e6c7db34c42eef19254190c38a5b8c

SHA512
44f73da173d241ef2641aac0a41decf784665718c4b52aeaedb9590be7efa85ad8129b0a1e7225d5f8d1c79cce91832b7f6a9b03751a15a22850aecd74069f76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f4a8a19fcde9d72a93e6f2dbc4427938

SHA1
21e33326ab2dc5923fabc3cb96edb4cd7ca33eae

SHA256
008fb0e0a23df553c7f2d9084fa32f4938aa6a532539a6399769d4fcdda4c694

SHA512
9a86be25b8cba6f1efac0512a4184125ee8e8de99489b2cbc3e20fc3a8c09f75557cfe984a32d1997597e175a1da7f994b158ceaa5e494e41d224fc6a3f07a2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fa8608b4ea6a9a0ea2da4d9c881e11a6

SHA1
912d09187c29564459782239a22556bb20ddf047

SHA256
c601245cce8a3f22a8661e9fefe78195d6b42aeea3d10a969116abea2180c68c

SHA512
d2458a53e2519bda7fd3b99ca46d6f46310ba1a64eeae26b178f77e6b28fac1fdfafebfb34a20d823c3c6a66c17d7db5e055c94b64de589f097922cd38411c5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
432f2224f272d8194dfbd131f5c0024b

SHA1
c64d6f0c6a29cf8a6a326193032d497c3d2b8195

SHA256
4012d61196993b01b965d911a7b3ef888dc70f0525976dcf6218a10f2aca567e

SHA512
d74a8f5869e80e46e1f3ec883e5042d9415118080049de6a7f7c12cfc327c503092cb53cc999c30e64a74222fb1c0b065d662a87dd32aba0c5609c2683434734

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
daab3968f15e7a10bd4e74d41a227b48

SHA1
0f2869c94824d708cc21c392ca594b236dd744c1

SHA256
42111d54223883200bb7fd1362dc90ccd5ec71b85098582badef68a376064711

SHA512
bae763e863ee5110eee80b822f38258428e86adf3e234dd88fcc44c04220162f21f3b2340749b6a8fcb3b566db4281f20aafee2560d8bc94478a830c9e6e999e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
0e6147f1f4d193e9627952e18c0d7c5d

SHA1
3777e55e8ca446458a6513b0a67a5c6525b6be77

SHA256
8b8af356e1f8573f5522446b7c87e3453c97ade77b08d20909a7cf6e61019636

SHA512
2b486986598c7997036b80db4a41ce2aa2b2561f5c5762ed2e1c7762c3c6438813394220b01ad5aaef2c8fd593d17bc2dfefa8901d9b15cf33d3b77645882f1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
49c074cec66262d6847000a57a1300d7

SHA1
5a8608f4468226ea91dc64605ba9e217f52c45bc

SHA256
da3c4011606cb4ca0da4a4c696839b600d4a972e330b59f56fc39a83126691d1

SHA512
9c74cfc79164113d8dfc78a31fe43b2ec47fd2d3a4f2bbfa83160fcc8a1481f6c16c3c69b925a5a44acc9873b5fdb55ccc0a4f82179bf4d89e3de55a3c265a2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5e603d04c819f49997bfe7a3f7868299

SHA1
79bf5d03f01a26cb8bbac11b8037ed2b23225468

SHA256
1ce51e173613685ad0454a34bfd8f5002635c0ac300a4b7163b5049efe7aae5e

SHA512
bfebf819125f0fd84382f17a4c4eca4de7f5963f90d2463b0fbf1a8752acc8bf58dfe500d675f825fd6d48fdaa30a2d9a377dc57b74a525ef82e49b238e4e212

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
df4cc738bb309d275ce9158454c8d2c0

SHA1
462ad84c2d1bfe521e60ddc4fc00e6258b2b1ee5

SHA256
9979434556153ae18275daa4f737273761437e24c6abf8f45ce062a818f118b2

SHA512
9a393b3f9b3e855d0cff8879a594d9aa02c273a1e9e3d7c3d75b4782da5c8834f368a2e83dae6ea5918330907599af243bcce8248474de04d44e12337fc4a948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
cdee7d663252147e779eb85dd2b20267

SHA1
a1ac51638488bc8dc283a587143cd930f3a4069f

SHA256
4563f3ee3c0e117234abb62e90e117375c08a699b593dcfcc8109555706f069d

SHA512
64a8641ec1a870e0aedb60578441413ac5507c7ed3b608d2de10b13cf07381b2f2eaa08be0baacac49e8f86663f29c6f8a7893cf116d1943edce2bc721d9278c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5e69e454019ebf192c30aca5258bc161

SHA1
8a6bc2c8d08654f4bc4e6b57882f6663bfa58a98

SHA256
7c0368bf00918e964676962c05a944d3e2deb50738bad75ea5f048c51edb03ce

SHA512
0e103b7946eb6489276a9398e9fd74ab41b9eda28584ce2a75bfa6951c07c3fa869c4c3aac0ab8dc44bcbfdebbb3a9166224c2c5a1d503f77c89248cffd37625

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
25f5a7097f062689dee4451b4136d63c

SHA1
8193decd7fca8dcb9a7d915156370a0da99c72f7

SHA256
f0b385baeaf6a13650a15cb9a7bc8cd6b513d40e3997724610e789e599f9cae9

SHA512
8b91b744679d728cb6f3b4e588ba968dba61111fa2e00ffe49a65c81dac38f25d39f14835f34f721760cf009e18edb925b4e7b017ea8328d9f5f14d765aa64d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
92795da50e761adc2968f7d539162ab3

SHA1
4815e0fdc0097f678fa51ff3035ba8bd3ac51090

SHA256
8a1b3be906afd01a1cd145d7afb9d1874e7991c130e401b3009054ae5001866e

SHA512
abe5a69b2a1f004be24fdc1f59ead93af5bf3451d8c7aa2a7041e77934c3a5f0cecf753ff87c6385c5c68377811540ecb2d1805f736ab333380f739215dd0175

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a974ac248f2a58a76e7e35952715d764

SHA1
6be54c2ee6a10706e9b5eee4ce36ad768cb22b93

SHA256
786561728b46738f51a05c2cf322b2213a358cbe66ea888e5320d51c03ecbb40

SHA512
5bc9a12b27d24c1202ee4e576bd83608a5e5b08933b33f24e14b74f2dd3d7b44ea24c5877d382a51a834a2e3d9c94498859b1dcb316cf2a8cda1bf44dfc82a74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a04844f50d0ad370752e176ac3e69a8f

SHA1
4ea73f38a647e1fdff327dd191669572f09163ce

SHA256
dbc97ea8b07dd622e0fa6e329c410513111bbd98d0fd3b483430800f30cf67ca

SHA512
ae5286a8722f7886979a6d7f4576ea1f5f519e844a658dead7b88d0719640a65d7c1bb666f5d089ac565fb4ded265817cbc63f0197aba3d2270ffc31e5c5aeda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c63927505a64f0c948f496e15f7f4329

SHA1
cabdcc6dd172d5315c2fa0160a5101b4ef7738c3

SHA256
8131be583b102ffceda3a7802cc661ded344990f07f679d3ec1d31c588d4c7b6

SHA512
a191a75413ced3039b31e69653d7d9f26cb1a8f93c6be370a3dd2c0570ff0efbe385e81590fdfdea49cecdc7bba80e98bd6c0876f0b9290cb5d15de2476c73bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9988bf45d442c93da95b7a06096a3733

SHA1
5a0050eb0049a75ef15b3b1b22c8ac21d823551e

SHA256
ddfb8d004ef73bbcb3ebef2526a8b32445427369f90536f28cba156ec50b3b1c

SHA512
10f2f9e19cfea397df7a73855a6da8fb039c56bffea46cee45c56d3198f75ce2ce89982281e75784b0be2d63394bcb1960f169ce675712803df697ce478b69dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4b15d775c5224c98b2266ffc043bfbf6

SHA1
2308147a7502eef9746459c582498d93622e3a6a

SHA256
8f65cba5d049a0d6f532e6b39297ae67d88c3aaed583dc51cc7ecc644a6b99dc

SHA512
c806c38debd9bb555d8e785d1ffe09bdfb2c488d7db8f591a35ec9bfadf1e94fe9fa110902362208758e71c43913b4301a4913654b4c8ce1bc80feaa198aa3ed

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
56775285fe67cfab0a9c26e24e87fd5e

SHA1
408b3482e044826a067cac1b1c77a89b038c12f1

SHA256
67321808e3927ea5ec900e8fecec3731401e241582d98abc9c1a97e185982f33

SHA512
0ef51aa60643fc0d34b457a4b2964eee72418ec191e550f5d3c3f51bde838c0c019172f5b1b3c20a1017d51c13325969b4d85301917b5d6a3a99179d1da3f5e5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
42d3d35619c9a3e4d119b1e16f08551b

SHA1
eca9d6aa2d2a25879661a430a2d89cb57ea72420

SHA256
bd2513035310f6968dc8cb79d7ba0f75529d9271ad4b56282b72d24f105a36da

SHA512
67b10fae6b7427f20bf3a2cad1573c6982f62f6169aa7b754f3bcdd577b74502de7b3c35ab46690d8717a48c1e9f804ac7678371659b9c11fac79e41f01e88d6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
204c56bddc1a7fd465a604a943ffe980

SHA1
a4aad7cb1567e760ae7b135f2d2f6d92ea9593f3

SHA256
3fdc44c9d7c618f229ecf6a43b4d1f53836bc6e3e044f874208ca2c4ce373d71

SHA512
bf1379d6dac9c6d7a0751ad86866f1c0544953f7fc43e57aa34d9ae2ab58f49c73d3706fb9fd9c6f0e338daab40be423882dc7e27e74cdb283c89ff1411f4c49

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c7f70d6ba04fc31edc8239527d61182c

SHA1
76cb271ebf07e6a4647987b73c85530f9766508f

SHA256
44682bd32dce7838912d92fa68344f5d3c0c6c2926b46ddbb578f7108d828af7

SHA512
1571b2470630a3681e39ea727dd9c9e538a81a1e32d814044ef237154558347082e50a839755b6ca827a6362532074bbe681c810dc1fd54e8036843304bfeeaf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0d061d9822a0e159c5b464f6acace30d

SHA1
35f8b6f9c7b8f9fdcfa8e8e5ab4c0f6ce0b62ab1

SHA256
d53634ebbbdd2560236c88e60f68a644ec9a65d8205cb61fbd748cced97ee3a5

SHA512
36a297188a30d0ef979ad25331feb06ae08c68968296d48bbc4d70f2cb863f7a0ae72c9220754dcc6d0b26860620e2380897ec9f9eb033ff3a3dd8a2885adc22

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
de04dc1661059c1d84b027ad62e4dc5f

SHA1
ac819e1612f9a98e9f80f542ccf0ba3b51265133

SHA256
25fab36230c2d2f284ab958dc3885189a1bfa0c043c845317cb737d801f96c8a

SHA512
e5c53686c7990fd0812bf05aea58a4e865994bc60e68c4e337da59fc506515d6afccfbae4ad4167a7b25811c3c39325e73a3bead4c13f0d1576e4a1ce5553179

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bd23d2c440e59309cb73bdf0bf47b481

SHA1
814e19f270c8ada707f6610f561f983a94ac1523

SHA256
54ceafc939fc3848b44700cc9272d1caf7aac50beb9f21d8e529391aeb6b179f

SHA512
06fcd61b7957f4898f8769fbf5e70a8e333d7d4ab4da7bc17ef5de87e58f4f3f1d9c915d06b5d78005055bf944c702ff45ea44f78eac15f24ebee181f68c7976

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f9021afc33e5947e31b0ae0591c9ad6f

SHA1
4dbc4b42f053a1bd82a2c33a16e0c50b253fd2b7

SHA256
8636c137aff314f9d4aa2ef8683871f7f4ab10720bf972f888a06cc6c9cf9169

SHA512
ae8748cc6819ac44a9129b6dab886a0c697293a60d753a7c5258224db89e9124c1e449a92b2edd722fdb5b005902fd70e7cce94f96499ec477b2b021a4a7d8e5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9792ac42215622fe37bdb51a7eb9f576

SHA1
65a085acdc102b07c6c9308934d97e1b373efefe

SHA256
f4d243a81efb6efdf33b2758345dce752d3e74ce932b2e1110b6397521cda31b

SHA512
b1bf54ab78b53356645b2f86b898a9b2a75345cfe7ab3a47676fc9f7e675be26aae97567c8611b454d935dc94719d3f9895369cffdec8357f3760534e3980ad5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9e3b7e9d294abc0056725fa9f8f5eb11

SHA1
d3fe0aa475e69845dd45c8cb526fd374aa38fea6

SHA256
7e46de3afe7626f3ecf556483de2b8145bda555b29be7bdf1527fd0bd2eb2bf6

SHA512
549d03e1d19d859cb2656868b63d6ba679eb94b4a2610497f41f77d612371b58187ffa03413de7680052a6615b087a6342f89a7df562d8f01134c818008a0779

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
61a2dd67e9b2cc1e5d2904183eae66dc

SHA1
8cfc5a7e17ed0c970d90a16d9d94ff7ee62a99ff

SHA256
fab66bb82a902419aa1b304ddfbf5e3ed1ec2601291d2f8930b4cde6b8fa76d3

SHA512
db9952eb3cfec78d55e521e8f94eea98e19c8bf35d5a96bfff8c5bee0027fa8abbe54b3382a3f51153d81d6a0bc467d23f144e246f6da02cc9029efe4f443ee3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7fd65cda61afabd38ec89111a5643ea9

SHA1
4f4153e6e1ab630d9c2eb91d3108598715b5d659

SHA256
ac72c05c8fa46d319fde9d8758a1490acfcac3cee97f7ed2d142c93f9f4483f5

SHA512
01191c0750efd21d51d97fb0ee29578ef569da03d0cadbb086c46bad7f6dc14828320f5bab89870f909457620a484e533ce690706947235a0d8d25451b3ba928

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
63c3cb9f921874b934b6216cbf61a02b

SHA1
e88406975a36af1334c7476c065ef0a7f40258c0

SHA256
a0e8b18137b9ddadc7a84da382e295e316f3ee4d8e2203c6060a729278947671

SHA512
1c331548703ad3191e38b79f050f05d29476fd83dcb12f63ca54a1f8de9fe9ecaa4e96a176c54741f9da5b41840e896f98b4c27a9ce9fa8190bec39722e55389

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3918c58326c01cc00a7a1670de070e42

SHA1
d05cc040870cab9fea01f1a55b573b5963fe07ca

SHA256
7050086c932b27d044d89f03ea68762ad29fe0ad1433ae4e8753de6752ba68ca

SHA512
57d84e3151de5d72ee914585b5d4ecb9b666566047e99441811536314e277202940638e2e580a244d36913e8f6d43d7a7ec5bfc6f172118015e6c30ea789e536

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fd6c2805025c9c318bb74608382ebf8d

SHA1
0135a854d68a7c95b137f4a2248aa2b5a42f2ab5

SHA256
4b2cbed3894c9843ad7b3b1c2a748ceb9fc758d1fbff22e3c32352b1a1915ac1

SHA512
c5cab11fe7ef935af7bf645ec53bac9c64efb6ffd8ee87e10ecb3d4eacd6137124101ed5b92cfa80c40b9811d396d36852d5eab4c075cf5b924350055453088a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cadafa93d51a2cbf2cdf63729b86ec09

SHA1
7446742bcac9410fdfd7d1baf6c49ba04238a600

SHA256
b8c03602eda4c36af39ce07cc2130e87a530bc359c0a6dfa70636a9619972b20

SHA512
04b65f9e24b6a820749b8d7e9656793920654470ec2a077d997523e88e2f14eff935b9eb1df7ab7bfdb36fcf877bc5c38e435dc1dd067f45ab96d0e9b80ab0b2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b9efdf6c40ad92c2196858b72abd2e24

SHA1
70647210f42286ee034b3dd17dae0b41875adf2a

SHA256
347921cde40281b6a422285e2a2f771f27142ccc5a09d2b2dd85234a04241103

SHA512
9c57cb9f0a5cf271e09eefae7b9bf22363cde293c0341e175035bb329746d0ef796460cb2e3042ac1d82cd5d31a57c97acb146618e7ba606b302e9de675df9cb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7071f347227de51fc6e42718a50671bd

SHA1
f076d0dca572a5ef94baefa87974b49f722c77b6

SHA256
987caf4793ffa6ae5a1b5a7ed5c3fd8a1cf1bade0f1e3c72917c1ad028939608

SHA512
d49627a14833bd936cb1ef50ca550b57d922cc39354475b80a0a1b7d6c47260de886abb6fce62a8253380ef676d6a65e0d4f2a843051f535fc5a0ad9c6edc6dc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
49f309305ac69ec7d4b48c665dc36883

SHA1
ba5d0e3e67434188b217baf8357b9dc612b59fef

SHA256
46740899fbab320997df2470507260598ec98e1c339ab5fe3b7131df542bb07d

SHA512
d0b319623978ef7caf734f3e1198b26e89987399257803d26d755a10ae703846e7060a74d5540febd925a8f740bae275fd9a6d34fa936cfd54aadd2bc17bf919

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cef20ab8212582d17a6fc59d921758d8

SHA1
88a878d80f2999dca890240026448fa8f0e97816

SHA256
a57ab13fea7643e899c7430978db0c08edf804e62ad3b111cf447817410b2156

SHA512
fb13ebdc4a687c994d194ba4a42e33dc0a97a9cc1d5464c7b1abe6f44828a51d4ed625e5f7f6a5c562f697a60d2dfbcb7f3cbaa3b9fd49b155f3c8a7643817ac

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d9ca6ced8af3009b79bf94c17eadaa4e

SHA1
0dc09c434b15f38f4fe473c3f7c38e847d1b73f3

SHA256
40e8c5a476ab9d86f2d35bbe24d8f056227cf475c2acb34307197329cc4b6de2

SHA512
65328c31468604d06b8fee8e3a6d04870207952999f57cfeede86982232bf5734d60fb4405fd71d51c5fca9d0cdcffbe21bfd20dd1bc0d834ae8d2a87361d1f7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b312d06aa2dbf598db2a7e4184fa6e93

SHA1
fb9681e2f8473e2f47ad24bfe0fe8d298be5d642

SHA256
522e91efb2a196debf98e18b385fb876284cb1b81aec726048c6b8ff9562ec5b

SHA512
7077689c5d0c82598197aded436918ca07bdfdbae2307da4326b0f0ab584eaac6aa3302d929170e5f0218b9d89d2c02a79505bef265c0310fa4037bc391b2e15

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0ff3917b015da6eeb369595a5116d5f2

SHA1
ef3241a1c21e7dc9a4eaf14c0e6c9a1d8bda5845

SHA256
ea0101a2729cace41cf308c5e3e3995aeb830952dd02348e64e1eb4097bbe6b3

SHA512
d5dbbf4d6a0e3e7c0a1676c51f7faaf6113db85dcec9fcba97d763b7f9ddc51fc8823da6d27e09554cd4b0ca9753a213d6c4c9d20cd3a1bf036114eb99760b1b

Download Submit
memory/1028-288-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1224-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1224-104-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1224-98-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1224-149-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1224-147-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1460-284-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1460-157-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1476-155-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1476-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1476-154-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1476-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1476-43-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1776-292-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1776-759-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1784-755-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1784-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1784-51-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1784-57-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2312-617-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2312-504-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2312-0-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2312-7-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2312-6-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2312-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2336-303-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2336-760-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2412-285-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2468-344-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2476-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2476-762-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3096-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3096-719-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-763-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3204-343-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3252-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3252-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3252-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3252-722-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3708-339-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3708-761-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3716-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3752-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3752-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3752-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4028-146-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4028-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4028-758-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4028-94-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4072-293-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4340-290-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4596-287-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4628-300-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4992-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download