bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
Size

1.8MB
MD5

79a916e37e299ef2fdf0b89456b5ca4d
SHA1

20087b426cbf084725ffe7c38d117ff0342e398c
SHA256

bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665
SHA512

237e240876a70527143b92dfd2fbacdb613e8cb958097be4a5a7a099a94c361f9fffb1e15ce7e9e943cd8ac7bb93a93da95a76e002e3275e79ffd8fbdfbb4497
SSDEEP

49152:Kx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA7aB0zj0yjoB2:KvbjVkjjCAzJfB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4428	alg.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
692	fxssvc.exe
3872	elevation_service.exe
2200	elevation_service.exe
5056	maintenanceservice.exe
4164	msdtc.exe
888	OSE.EXE
1236	PerceptionSimulationService.exe
4864	perfhost.exe
4412	locator.exe
808	SensorDataService.exe
3120	snmptrap.exe
1764	spectrum.exe
3344	ssh-agent.exe
4752	TieringEngineService.exe
1572	AgentService.exe
1740	vds.exe
1080	vssvc.exe
3656	wbengine.exe
4748	WmiApSrv.exe
4008	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\System32\vds.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d4dff3fdc979ad35.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM955A.tmp\goopdateres_hi.dll	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM955A.tmp\GoogleUpdateSetup.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM955A.tmp\goopdateres_da.dll	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000892c93c8ccd6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bd9b4c5ccd6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059e98cc7ccd6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f43b98c5ccd6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb70d4c7ccd6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6c4c0c5ccd6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059e98cc7ccd6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0cf6ec6ccd6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dd230c6ccd6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee39bac7ccd6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eedf4c8ccd6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3044	bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
Token: SeAuditPrivilege	692	fxssvc.exe
Token: SeRestorePrivilege	4752	TieringEngineService.exe
Token: SeManageVolumePrivilege	4752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1572	AgentService.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe
Token: SeBackupPrivilege	3656	wbengine.exe
Token: SeRestorePrivilege	3656	wbengine.exe
Token: SeSecurityPrivilege	3656	wbengine.exe
Token: 33	4008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeDebugPrivilege	4428	alg.exe
Token: SeDebugPrivilege	4428	alg.exe
Token: SeDebugPrivilege	4428	alg.exe
Token: SeDebugPrivilege	4568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2512	4008	SearchIndexer.exe	112
PID 4008 wrote to memory of 2512	4008	SearchIndexer.exe	112
PID 4008 wrote to memory of 1852	4008	SearchIndexer.exe	113
PID 4008 wrote to memory of 1852	4008	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe
"C:\Users\Admin\AppData\Local\Temp\bc32dc685a0636076aad73b3cba942afb3b144aebf43d9df24bb46cedfa0c665.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:664

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2200

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4164

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:808

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1764

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2512
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7cbbff805ad7340147a46ec1129f00ad

SHA1
48084e84ccbf6e3b08905fbadb1b96e09a09b0bf

SHA256
c34d1a8406a2c58bdaa2ee6b87cd888c65b2e8b719722dd74267a68f4dfffacc

SHA512
4c33791a1df6b83a1ce533046cbe1a483fe47520846c0b83380729d7d8693f43941b25ca333e8a6877c9b339b1958d65172478432e463fd22bcedea7a7d5ceea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
568dd6134853b9c3004ecb92c92fcabb

SHA1
603db73acf9c207ec7b9927412073674a98b281c

SHA256
25fe60f044ae8d97ab85c2e4e59176e5de6d62c896705920c653792eaf4e9bb3

SHA512
2d1d570d7cb974b54dcc83c2027d22192a2f69516438cb1e2d8427c3ca0a453a746a04d7c459e10f98c21351cef67e066130bcc963294df78ffb8b0c7a01b4d5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f8c21b2719f96adcfcd4e7579da068e7

SHA1
2204aaa145fe8ae0dc83bf0167047e0b4721f2c7

SHA256
98edb6c1925d07da94a0ae3439340d786ba1130cff3d3c00d1a94848b57cd8e3

SHA512
9cf248840e271ee87155c0dcd6273761ddc42ce3139cd44087dadfbd6a5498c3d113d9ec9277eaa128dc9c659f2338573f7ad55a2b1328c13c181737d906a93f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
749b5401572ff29e67e2168cc3d20313

SHA1
09c153eac45c046e8d7ba3270e87e60a721294d8

SHA256
16e9c59fea4fdf6fae6e6155a0857ce1534021bbcb919cb76e6b83a843aca36c

SHA512
099653ed4160047385874731166149f1e4b4ab4891738200a44d74bf93342737dea0c1a8806e886180fa79c87efd636d5313bfbe08024177fb42e09b01d80a1e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
37824d524de6271ab14386ed6977ea9f

SHA1
780de0ba96d00432d582faaa454935b4082ada6a

SHA256
662aa8ccee76c44644f0f224c2435e93c2bfba59808db62395687b6244f8e6af

SHA512
0e333b8b922df466f1d3c6cdb4f354026424ac8206232975568c7cdc0999a0bbed3833869f518a44c4c80468c7b15dc9650afddab00642f3be49069915cee8e0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e9c382a72afc059e2d1a1a4984d0e142

SHA1
696910e85e06e35c1bad1d4ef6bd113f57bc7c70

SHA256
81261032e267c946ec8e6c024595396bcc44b98c93b2f3ba7b33474674ced4aa

SHA512
a9d7335f7ea9abdb85cbab648f94a765f6708c46498f8d064fdf3b8f06ae938a722019bbc9e8510443137d0475e9e7aa8051687c7d16bc5fcd22e48dd35169bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4cffd084845fb0589637fb726ec5ede3

SHA1
1f14557261c034bce99dd5dcf64dc7e7b8710ea5

SHA256
9f1201cfad515a3c124621b2f877d3309ec5dcb122414feb7953aab5dadbcfd0

SHA512
a6592e828b6cf02fc4a1e307d5e88fc080466a1124792ef59a542be37158b2af0a1929e9c50760f9a17b827da3bc0faaceecaf9a6d3517b07ce7b802cad8cf63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a60a1306a274cadabbe836ffbf8dd11b

SHA1
ce2cbfc60471e0f07b6475a568fd2c6d8cb36992

SHA256
3fd34aa8654c06fda88bb4b179b5b56b6e9f642baa2bd7181de8a621796db6eb

SHA512
0c93d3cb9d67fdb8fc267306da8eda56dbe3309184d97eaa4cab9172878d5baecfadc1572a18fce1a089cbcabddef563f3a16a70b8d24e541ee76d4e7ff57e81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
de9654a4ed6b65cfcf22a7b6a24aca95

SHA1
0ed6ef849026e330032cafb989f90dcd776451a8

SHA256
70c1bb71c312925c38f450b295d433657682a1b0fcd5e48ab0362e02b2081f2d

SHA512
d32e18c10b18880bad90d890a855733d7f03e388c0bf2d5f24ed25dc0922021f290c8be2f217823e11988880fe8bb035209f3d1ebfc711fe7645d0cea403e84d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b058433fccf2c1b2dbb0ebd2a5428d1f

SHA1
04b9a7446adeb508dd598685bed30ca940a8e1b1

SHA256
c8c940a0bab46cc6fa6e4950707428b0f4e8918c742c3e0499c43c8f60d62fa7

SHA512
40fa4c97da8ae712274a4bfd4274d3374b7df75d80e22232bc31faf27b35cb1889fcb1ebb2b1d5847eec434a137e0149999dbba93daeedcaa5916602cc6d6470

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c21829e4ac0d23de24338e09077b5e5d

SHA1
c0e0b1005465cc9e17c2e06613bec26adfa90cae

SHA256
c1abf54bb0da0eb5bb599ccc5954783ad3d5ef6e48afb9e26b43bfd12854f4e8

SHA512
62d6111cf0a38a2873171dd28cd29d945b8d2bb9c859e0440b1095a373bc2f4bfc67f24d46dae5cddb22e445670fa931a604ec859cacd7e6517cf38a2a18d394

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a0c3d756e752db344f05c3af93d76f6d

SHA1
4dfbf0bf350623b6bb521526d4a7bedab8eb15d3

SHA256
a742bea17a424d5de0ae676226136233095818a64ac8f124bd1331fb8535fdd9

SHA512
7c92bc3813e7ad7b225ee5f723b2d920c0f680b2932894af5e39a1a44440f333050c9e079ed55d92776091b5bf88b8b7db5a94039b9b8c4c3b8618b54afa47c0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
61b0d2b7849873f9c5605ad1e674ec1c

SHA1
c6a26571166bee73ddfbe6d51d15a62d8d6d6c0a

SHA256
1e2c776aa821419b35635cfcad4a092ce9b27fa9f47c54304ba4c2dab15ed056

SHA512
6f4abf78a9eeae906c3e10fbd3930c35a24073b3d28d859589b4611551435345b180f42d0b48aad08b05040b3e69ea6677e4666d943d62de6cbae1a4221e4d72

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1f16ca40eea1b46307460cc9d1e14aed

SHA1
a391f3748e49aa84c39ae137c28eee6a01b42cab

SHA256
945421c6a622ed953b7f1c0f0cf2030926277d22065af34dcc512f425fafe4b7

SHA512
9b0fdba8ff850e0c587be4d2b9e02d351e82a4bfdabf64d38acc9c5d834c0aa34f34d8b898f08393ef11127d9aba296666a7069186e846094465d40e118557d8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
adf7aaa99e955bea5f16ea68ba1a7b4e

SHA1
4633fbaf108efcb8cd28835b71968e8e10319b6e

SHA256
e17178b95a6d4e2b204123473928d19b883903d84c360744b54c74378d4e1809

SHA512
2cd5eb0ed5338907fe6e60ca8b07d139402f02f2d0b04bdd712eac5f4102e7d7c14a9ff3281574fc44c8bf750c83158ae47ab68c491047d675418507eb8cdb29

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
5b1224d932d2376f796524b44faf29ad

SHA1
9c1ca244de5d8648485bb2e3d1fca1724e5c2213

SHA256
5c2b89a65e97a83c30daaf5836c0901cc6608ce1d94d600ca1d0eed3de6aa01c

SHA512
b58bae8416f1dced57a589e9e34caf6f18542ff925c7a803c535e633b1a8ca53c6d0ef34b663304e55defaf60928b96f956d886811b610eee78baea6bcaa50c5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
03bdf444e7b42a61147228a69b540af5

SHA1
59d0c2872112f4ae9dde6362d5f00f7874bac28d

SHA256
69c067346735389b4a8a1ead82955cbc76e9f6dfa853dde70ec2128e1d4e92dc

SHA512
fb60f97ce9cc67ad9c5fc76d5dc6002ccb776a00a2356cbb776546dceb52995dae3e3e61340d60dae5688dd23611235c15f1f93f5343db7a0c32ee6114044dda

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f4249d7b0d99ff7f0f8c9ed68f52c47a

SHA1
2df69717f540e68e07df15615a92bdaaba9a0609

SHA256
4ae759f937a560e0950d144cf4c072c1964b2dbd1940787e3b6322eae8f63b19

SHA512
23de88e2d9cc94216ffc6054f941d547d02ac8b4f1d9e02c78048d82887adb1de5b312dd7af0be7f42d293716074cd6b1fd7ebffb988f8267c865a1890472575

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c733480dc65346f09f9dd4832aeb1278

SHA1
b50c10b77af8fc2317efb8fa1916bea3930b627b

SHA256
01c459b9504c988d41964f0153a20f5039c4baed21e69ad6c84ed74e2dd7245a

SHA512
22cd93ddfa7baff38b4fced8c4f4ddd237d319548f764fb06aa7be2e660e2bd97b7b55428ef11f1d5e014dee7354c45c5dd8b9b7ee18043ea4c082b7635adbf5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
596e8d46d0940eec1924c41a60664654

SHA1
9f8ceb21fa6e5235f6d885516c207ec7a5f8cad5

SHA256
7f4d5dc11dcea477e8a0219e57b13a2e156bdd50bcad8f2278ca63fb5b43da3f

SHA512
c67145d0d9672e4d6ab07e5dcdf1a3101bf710cfa513f70437cde552b680c9ace11e23c589550300ad7887a3845ff31a9d694bbcf8a38d118867884583aabb27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b2698e384847191ccd0b32fe6b65b337

SHA1
832b1e07f69e85fe5a096e33a2f32a4ea1f07fa5

SHA256
0e5a811602ffe806724175cb04c1ffdaa0f88fe1a2239b53e7b4ed8da5d87c3d

SHA512
aebfb43b79c903bf1e91ab6a8cf8eca663c17f936a0fbd50640748fed82e34dcd3d2edde7689f70eb68283232d3028ea3c6652f3f3d488d13d40a5be00d78cfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
705298f7a97129650449c5880ff1b2e2

SHA1
417910ea0e37210b7978c3cab631e9b185e9117e

SHA256
cb2437472607a68569ab916fe585ef25d3e1c0a4ab083739fa9bdf0b3eb45381

SHA512
dacf141cc625710ebab844eb9aa54d8f7260995626e109dd024893e0a1056d4cfeb090eb5fc400dc28729633e869bea9132f6df481bb374bc0613404991a5bb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a877fa7d23df5ab5eddba02834a5787f

SHA1
d159860ba226ff29d75fd230669ff002f7cea9a4

SHA256
f4ccfe1179ecc29ba2cd49da3a7d89e65547dc48da266215e426c125bc631af5

SHA512
c08e14e88ffe96f9b7995c544d98897f51041c552aff45b2111916b932f715534c1eab34cc292914f37ef8821ecab76966341fdf6d0c39c14d7d9ba90609fc25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b01272ac6aa4e76e8c8fdb4f01d7e80d

SHA1
806275599df0316eec8a018b1b2b4a35c24eeb27

SHA256
ea7b48dfc4f8aca1ce4b9f3953080884dd8f50f75bb8db187f80c71b5bf2f066

SHA512
da62b9db3059e1d0fe39b71aedfe29933bb802a08d9891ee1033b0046d031742d6c062832b39576f39c51d0abd73579786102dc9b79c313787ad8fce5d583d2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8fd04db030721c2124e9e9b30c88c752

SHA1
e54ed95af3a39b9e64f554bd059b43ca1d532b7e

SHA256
1bb8a745b2d09a99e4cb891efe013d49e977e5f8ad034d3016f0c06b885c923e

SHA512
bd2b6956b9b442fda289b6c45ff114d169471e7a513c8d86e45b11bb4a56483d3f005210a6003bbd0ed9d2736a2c6cd918a1c9240666a88027add28591714537

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b9df40982af23d561523d37684d5493c

SHA1
f132176e87c0f2fde9b654c48935987a7fa35bff

SHA256
a09393b300a7a4b0865f112342970fd70d0b5b261c0578ae65b9df81eea3cceb

SHA512
3c163b91ab4957524611c1545a22c97f81edbaa029b4de4bd80e5ba71d45216dcc8e22462f824042bf7388fe79b6f550b205b1fdea15d668384c2a17b67797af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
85ef54efdd8ed088c2464af5b0f5db8f

SHA1
f7ef696242df9e4ad38793dc792ed8271c39bc9b

SHA256
10512a80063536fe735aacdcab2f0d585622bf0012d6ba8f26ee91ebeb4180f2

SHA512
ccfeba5209d918c5f76cf519b8b7dba74d0bd3b362ada95765d60ca19556346efa2dbfe452d4ad26d8281985c32721227e433f0d3c902283d9826224e2d5e2c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1b724520697e10b7249a4d8af0a85ab4

SHA1
f94c90a9b0de52eb4c828862887db0041f672504

SHA256
17cf21e116f4613cc6e6f1d2eaf0471cd09787b251aeede04be83e68f47ef51d

SHA512
bf3dc6e40a39d53cec7152e4d0b7238fcd6a9cc5eacc52ea6f80d319eca05b3173d2b4c0a7d62235e024937b2f6cd603b13e1f1a714f630ecf4ef2e6fccf735a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
20840fd60010af0476529b7281a3dd3f

SHA1
15c826c73e0ecc51ca8704d71973b277dabd9b3d

SHA256
2c6555e2fb25b6e266ba363e18a32ba760d91ff093f7a5815c1a041b901b5af6

SHA512
60ca3bdd3834593d9cd2cedc231b69bc634b4e1ed19df977ff2375d8a8814ed0e9d837c00aa2adc025e92b23299ac61a5361c099df2d920ed873bd07743bd9d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
792d8122889d68e4b61f276db2789f20

SHA1
82a2bbaefed795dca6bd31b716eb87f46c639ca2

SHA256
f6e2076d74e92cb27d996cac9d09ef71defa69f2add149d1de04d0ea550b7ebc

SHA512
1f6e1c66ffe297094a6c2e5e60ab4bb3fca779a26072dd93dccd5bd155ba5d8f8e4642577bcae40545f5e4a6d41934768205d2a213c329559e2ff584a36a282d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
93d6c792f904b0fda463118e10fd351c

SHA1
772d36772416530e321d603847cb1dff6440d8ce

SHA256
fc55783bbc72499adee52b5a4989f5a9f660444e78bc4d210e85accd75d8edda

SHA512
12f58d98afed33faea282694d0d5dfc278d853416344afb56a01ce31fa3011f89daf1d1c8b55f618e542c4e0fe05687e729d6fa1aaf7662bc6a45da24943adfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d6dff82b25d58a59804432cd2e12e14a

SHA1
2ca9e59c056e7409531094f1f19d1c56da202f33

SHA256
761d69ef8c9c3b6a148e93e4b081d4e81568810432db7c7fba06ae75605da755

SHA512
f7bd81696f8dd9b1ab893d0a0ffca97567a629dca8a88db1535c6c3c23253f57eac1fffdb013c9465ff8eb433a85f58afa762626cfaf12066a9e8aa204d705ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6e238346466157074371006ec5bab84a

SHA1
58332de005060f0ec7e387de06b1635cef005340

SHA256
a1bbd83ddbde0ed08521d12784566274242aa14c77e994a6e1cefed1b98a80ed

SHA512
48b9bd2ae4ca6e3d56a0c5f239cdda53ed784fd9501763305fab91c698a057eb51f65d3458c5a34b8bae2cac009b1924c1f4880b2b6774e36771c3114cfa6641

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ea2ca1ffa8cd782f66fe3debf549e868

SHA1
0440ac9ef8b74a71ff835b3944d0d22a8ec908ef

SHA256
ae783711c9e07fc3ed469b4128b3e3e94bd0a4a8ebe9b042661c8710732f8700

SHA512
e366a1ecf22a84cfa278e68bf2a75a690328be804f94b9203098b7d68bb1cddd16a7325b5b9c070034c03e7130800ad91bb1bd9c6e38b9069ab2540b08da546e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2cf9121c70cf48b9720b34da0cc70629

SHA1
a5c4ad386cede3b2a54400ef9766bea5b3558e4b

SHA256
5bc6980422fccd16204fc9aff2edab3bed4c77035b3ddea2047abc82a1776521

SHA512
7f54e4f7ceee314403dcb652abc691fe074c8ee3c955528e0be833a05071a3c1a868bd485ee4eef94b4cfd5af0e7e4a4df806dd0a8485a057de4f18d2c500e8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f3a7cdc72de78492640bf8bea24a0aa5

SHA1
811c262c3a92e05c93369c723575ef4850a1fa69

SHA256
fc4c29299f0fcf6d6a58c6112cd4eb48eab343f0475ad97e3e47c5b450aaf1b1

SHA512
15c316deb31ebd57034a6bdfebb3ec76b159f81be2c0bf83bace6d5157fca126a0cc6f0893d8f352f883be35725cf98ef774a649f70a746102ace7355413dbe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d75f4b216007da52d142d827d58f25d4

SHA1
75ae8860b067c9180f68a253b7e7fac325c77254

SHA256
8348c81c59c5478463742eec4715a190e6ae753bef3e304fa58f24c59c742332

SHA512
2435a51290fe6e204d5bae497b89f14a96009289cb8a2342b48d5f53d8db896b11066354e6aa498a02592a8803493771afc0143d4457dc957ec12e547fcbae9e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ff0e09552d49f5ef808d9d294f7d7822

SHA1
65f3210a1345e2aad8a98b979307c207d77e757c

SHA256
de9667595bb51b3c7291ad0d081552393a40396c81280db50776c4e964498274

SHA512
90ef9de02637daefe26d74ddfa826c8c48ab55817f6b17c524950aeb33aa5227d8bf3722d50d9356a6e827e23a57f3b2e05795840fef569a6a117c78f7b460fa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e68c996c434da5e6bd6f559abdd82b4d

SHA1
78464c86ad14247fcf0f44e94016eee0157393a6

SHA256
9370c36248253c637700a44122dd0e0268196bf044d8bfc9215995d673d1b3ff

SHA512
4fba7563771da293ceb9de3e03ff5a43d70872bb9a4d9bd8ef53d113678da236a0116a2280aa4bdf4d8ed4cc04567b7d8000d164b18657d1b02d463527e108be

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
095e91b4a69a3adb42c71d71ce75e7e4

SHA1
804ea12c46ecf95e52bb20eeae475b390564445c

SHA256
d2150b6d5bdf2670547e421e8c51f19bd34d029d164aba335a0ca70439055ffa

SHA512
02967604d55bfc0c281c2b304cf5f2b0f604d6e08cdbcc2fc53d6fa0602b440abea1e14d6fe90fc0323b6e9985efa96194f6769caae25c130f32743d24ab3f2f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
878ad7abc548c08782cbb4942e5aee34

SHA1
4186448ef110a0088433b3e7d54da969124b82ca

SHA256
e7edf8779104f891d2ece97c93181e08206d4b459bd9abd0a98fadfbcd5aba2a

SHA512
adefd8f50958a706976f3dbad3a4c3909f270dd5cd1fa41d0cafdaaa987cbb6cf9cfe44db105ef58f1cb3684cbff24cd1b358ef86214fb130bd96d3a13919c58

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
612b4f74aa8be5060575d01788417e2d

SHA1
ff68afdf139e50d6f603c454513da0dcc3679cf5

SHA256
d3b9f1b1450abdf292c778693a6989175fe4fdd53f7e29d52460b7bbdd97bfc2

SHA512
2b3ea7fda2afc1cd347e732dd4d6c64d5121d461883cd8cfba67713e4004dbf4252c3ae0df865daa75e7a2055df274bd5ad874e35f8e87361090c93b6fd3e2a2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3f882f1511758bdd91589fc7816c8fe4

SHA1
eda828c661bca795762662059be022a3ef5bc66a

SHA256
dd44ae3c7b91c80edbcf60a3f323908fc5e6258dbddac0251086459c5b17a676

SHA512
f015ce89f0ffc25934ab02142ebb4888bd6b1834709a13e9d818f2b705253995c3ceaa0f0f10da6281dfe2d0833dd814abc83f393c6f37732c554b09ca41d1e8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0c0c629da1cdef0aedca14d8187c9d54

SHA1
3c0235637ea09d9322fecd74ad0fd61d922346d0

SHA256
d6b1f536cf27d2b2ba8c48d219bbcaea975fa99fc94ebb89e30e3249740c55a4

SHA512
d1cd180113b013bf8cc024f94c145a726c5186c54c97fed59944ce1a015f609a4be96d2d8c8b52e4d96b02956f444ef201248d79233355434fe34f297afcda3f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5661753563e367cb09630d04d66f56b4

SHA1
b8a34d3180927cc94b6c47786dda9d3ae1c0b3e9

SHA256
8a20dfb67b6d1783d964863043cb0aa787bb58bead85e1ac6e708ab58a281f28

SHA512
053408167c45cf461a7f3ffad69b5d2ff6e3ed9ae6afccc759e6c1ecea189348e14ef9194b6b5c915f60c255aa2c3d259c21edca3a84c8795cf01b88dddc6dfd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1cdcccaa54d1eb12257fc835d7265dbd

SHA1
299f89d3876508bb409da2f942f1e9f0a01cd5bc

SHA256
358e10afedfcc530de3e9704d6ad6fc8065ed56127b95886c31c7b58c25d4dac

SHA512
eadb61f073cf70a390e0e490c839265cd23fd5739e2ed8feb6113fdaf5f3486e39f5d7b016aed5ca685dacc7babc1d09f50f876686a0bf6894d70a1b5d7ad61d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8620fdd2c457e61faeaafe626bab15f9

SHA1
cf45039a116b144ca8c631b7d2127036f2ec8f47

SHA256
fe4426b6db78802ecfa485a48c147a3897cfbafa0624e87885de6c026ce067c7

SHA512
873c0adf73931d90b200bdeb84faa3be5f0500c82833942a248485db0d71df30ccdf9187575b5b425531b38c6848bbfc8a517bbb36b758b2a552db3178e621e7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
739ba7c78df719330a1b7e95b7303973

SHA1
8dc87bcdf17826972c46bfc329493771a5ccb772

SHA256
9a035ac3bbaa6c8c82ad292b4a1e090f429b107f859d8fe9630f9c18a405be40

SHA512
4b8f812297cc919d79504daf78faa31474c19ad98045f50d00c247b67d6df7178d847893642195a1ac68d9d0fc0d0670cd4de904354be54dd6b1a390c7e4dea4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
20baf06e01209fd31b7f8ab168e64ad5

SHA1
5e7aacfc30b89f308d301fda5277ad7f5b52af50

SHA256
9e292a52683cda2f04f07e4cae2d20b8fb0c032cbadea68609304c6941424bba

SHA512
94a12e89030031f06f814c4b3b60e91d9284f29fbd9531c87fa49a01e4152171e85d27202ceb2b36dcbf703039cf8f330a3746c60c808cf7a06a77654a248d9d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cc01eb3f5dd5812941c8d789414157de

SHA1
6906107088da37c935e3f24fe50eac3fa039ded3

SHA256
c4201460d152c35b22d7861716198708ab7f15d59d0de20ae34563f5cb648019

SHA512
63c0b686d532b8fc223a7dca6d089dbce49b2675a44af93469cbe4e2d1fd51709269f7b03eb6a5059719474fb983f0d7d17da4b4a59c357b52a8d33088ccd6e2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5dfe02cdc0d66d264bccba3d3e6d5a5f

SHA1
0cb508375829ebea1953345868a49aaa1f6e2135

SHA256
840c4d7aadfe2bed3bf9b6cbf3c830f3ed7c52fe12c1aea51dbc26d1efd83b15

SHA512
24b5c791a573b2ff7ab08bb5ddab7e8bc8f5d50725179b1af020f535c1c15dc4451e18b6e3f790fb22ccf8f5dbf0e81ac4c8289e3a0ac4bdce96045f88bc3c80

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
27794eb0e7d9ecaaaa8712b7d398ee8c

SHA1
b4e990777a04aad9653b34ba4a5843e5dfe9cefd

SHA256
0ac7433d0200e9cee74dca181c5c90cd8227d15b7d9d10723f635b262a9d079b

SHA512
b92bedf2a85a2a66307c905c8274ca9900bce7f55fb104e8ca4fc664e60a767e7a82f5974f445b614e0b777d8953b9d1fa56c6e1746e6b182e18869fd4e8619e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8bccf63cb1d287882a51ce607946e3b5

SHA1
0e98987e5cc020cefc03673ec68d0f08d513c8ea

SHA256
22fda766870c9bc1d09057e6c28f0863510f04dac22718445a7c443cf156ec09

SHA512
12cd3a1dd6d9b49c6582f51a273356ccd953942a6d6df76f96f8a03e78a2bc6a1eff9e6068eefc836469c8757a7857453a221f0f6a38f57e2dbd095ac8bd0a42

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f3c1f889948f1d9a7fa53568321d04b2

SHA1
ad7df33b20fcc7f15fd9df620cc7d5f44113bb4b

SHA256
0662887a4c4d7ed86f16fbe0a1d66cbc3c47c858ff8983e8d4d47e8bc71543f5

SHA512
5583d69db47c9be7c90dc6c1945eee19a3cdca0c6532c7180be7646f440195714469940394dc1e6679a61ac9e572be48782945b5fc3eb7851ed184b398b3d328

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d14add88302ac238d596582487cd6bb1

SHA1
f32a3f1bed9ee00578cc8bd4c25755d66016679c

SHA256
883cbd371b1026ae745df0ff453effaff0e2553d35f93d5b32e66bb7dba9a227

SHA512
bb11d488481d4edb59470090d9fa72bb1c3aed78619e9fca7a7c4b1eff2e69a4ad2932e97663f5f53290f8753720fe526be575324733884af28da25b5ce8d74f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
29c9e1541484f93146785965891f6641

SHA1
39ab863081d630d574b63ca3d4f02610923c9bc6

SHA256
4be7c12ac462fc4c2e521a92b32c598726067c4d796833e06c5483c7165492af

SHA512
f93afd5c8acfd7170a6ec5d7c266bcf1b68a8c51c1a9b84d4d389619e4a3cfafc56224b4f2a026e204dc1b184161eb717bd917965b86f75834c3f02f746b31fa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3fb9196f8f22593289879082eddff569

SHA1
188b9eca2eb0eeeeca5b0d9b67aac67ddbad2d8f

SHA256
0b29cfd6197887ab8bf970e06b394759757bc7870213e0a798a9f091eb656272

SHA512
7b4adc6e322e0f4cb26e209f5804c0d581b5fe24dd0a8cacf2f6f305770f6e9954a7c259f00b637404f02212e5e44801939bdda1bdfa2c00acd85252bccdf0be

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0651bc8a930267e812af3e5a98d53680

SHA1
8b07fb6770662735a5c14cd148725daa1fd45463

SHA256
cf952365be935b305cb7555d8d8a072b5474a3fb27d3f8f9c471a0493d3f9fff

SHA512
74b50b3cfd4035787e485d5622a9ca3437c1118eb76e61ae6a8e24b32cee590293062dca68c4095459160e118b0923e56f7e28d5b1ceb04a6808d36a4a35859c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3749eb494fff1da7c35985620414f531

SHA1
c0734d1df0facaefa95dc9f651c66f3dc94f8c1f

SHA256
5d20d4cb7ad5754f4a7969be4d0c2b8194f1407b6448c8aac32fb52b6e19943c

SHA512
a9032e558a151c348d49c6dbb10ff59cc0ab58e020c1c69849ff97e9a29de88c9e245fe09755a4e1a0c96f22814ed61d950656646ca6f3890631d54a7901585c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b104656540bc3f3e44f8cd67213a0b00

SHA1
b5515c951b1b1366da8853e0947e18e842fab101

SHA256
71300a9c5a1130f8c0993ddc7e0a3f1cdb803b84200e08264d493b2ab329b114

SHA512
8e32a7098b0bf1c5d8b01681eed353c7324671cf5271eeaedb3709d2ff2b1493b8cbebcd1861c9985fb965f214cebc237a9cbdc8c9aaaada3b2b9421b388f25b

Download Submit
memory/692-106-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/692-112-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/692-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/692-128-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/692-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/808-747-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/808-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/808-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/888-284-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/888-179-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1080-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1080-767-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1236-296-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1236-192-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1572-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1572-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1740-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1740-766-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1764-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1764-678-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2200-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2200-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2200-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2200-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3044-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3044-621-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3044-6-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/3044-1-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/3044-178-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3120-507-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3120-230-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3344-764-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3344-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3656-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3656-770-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3872-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3872-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3872-124-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3872-117-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4008-772-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4008-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-158-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4164-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4164-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4412-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4428-18-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4428-195-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4428-11-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4428-19-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4428-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4568-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4568-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4568-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4748-319-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4748-771-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4752-765-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4752-266-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4864-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5056-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5056-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5056-154-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5056-143-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5056-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download