37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
Size

1.8MB
MD5

a9151bde8f8a6d33092b38bd17dc3f11
SHA1

b4d59c573795881c1a372392e2a1ad7c83880672
SHA256

37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380
SHA512

70c3a5d29e147b506e439556c5804043dd73e2e8005974e96d79577a91920626a25e3f8bb01e3426c42e91a31a21e05aa625fbdff8ecd72f93d46918323f83a0
SSDEEP

49152:AKJ0WR7AFPyyiSruXKpk3WFDL9zxnSakQ/qoLEw:AKlBAFPydSS6W6X9ln/qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4448	alg.exe
4152	DiagnosticsHub.StandardCollector.Service.exe
3600	fxssvc.exe
884	elevation_service.exe
512	elevation_service.exe
3768	maintenanceservice.exe
3352	msdtc.exe
4580	OSE.EXE
3068	PerceptionSimulationService.exe
3400	perfhost.exe
2736	locator.exe
5104	SensorDataService.exe
3508	snmptrap.exe
3592	spectrum.exe
544	ssh-agent.exe
3432	TieringEngineService.exe
1048	AgentService.exe
4716	vds.exe
3652	vssvc.exe
3712	wbengine.exe
2140	WmiApSrv.exe
2452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\wbengine.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\beae6df82b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\spectrum.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\System32\msdtc.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\msiexec.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\AgentService.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_iw.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_bn.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_es.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_vi.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_am.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_en.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_fr.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_te.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_ml.dll	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057959830a491da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1e28730a491da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed7ea430a491da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000834a7629a491da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd0ad829a491da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8bb8030a491da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012368229a491da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cef7e2aa491da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4152	DiagnosticsHub.StandardCollector.Service.exe
4152	DiagnosticsHub.StandardCollector.Service.exe
4152	DiagnosticsHub.StandardCollector.Service.exe
4152	DiagnosticsHub.StandardCollector.Service.exe
4152	DiagnosticsHub.StandardCollector.Service.exe
4152	DiagnosticsHub.StandardCollector.Service.exe
4152	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2740	37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
Token: SeAuditPrivilege	3600	fxssvc.exe
Token: SeRestorePrivilege	3432	TieringEngineService.exe
Token: SeManageVolumePrivilege	3432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1048	AgentService.exe
Token: SeBackupPrivilege	3652	vssvc.exe
Token: SeRestorePrivilege	3652	vssvc.exe
Token: SeAuditPrivilege	3652	vssvc.exe
Token: SeBackupPrivilege	3712	wbengine.exe
Token: SeRestorePrivilege	3712	wbengine.exe
Token: SeSecurityPrivilege	3712	wbengine.exe
Token: 33	2452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2452	SearchIndexer.exe
Token: SeDebugPrivilege	4448	alg.exe
Token: SeDebugPrivilege	4448	alg.exe
Token: SeDebugPrivilege	4448	alg.exe
Token: SeDebugPrivilege	4152	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 4532	2452	SearchIndexer.exe	116
PID 2452 wrote to memory of 4532	2452	SearchIndexer.exe	116
PID 2452 wrote to memory of 4936	2452	SearchIndexer.exe	117
PID 2452 wrote to memory of 4936	2452	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe
"C:\Users\Admin\AppData\Local\Temp\37675674ae785029c05178d4037fd63a61d8cd9eee1f4dfd5cc7caa2096c8380.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4544

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3352

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5104

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3592

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f9ba5b611d6a2ac1e6dbc61f847333f5

SHA1
7f785664ab693f9f1fbfa0f34d416ad678849f18

SHA256
165a385de1c6b57bed437b4e91341ce66faf1ad6accade575724ff50596daef8

SHA512
689da04a3d4c11955fd54d00633d7279b3b09adba9166be547749e381a41fee848109d24c40df19dcf4d5796988bb97b137d76f55ed0b0cc4c9e30a8c5b7439d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cbc1607fd29d8df1060cfaeb04d095cd

SHA1
827fb52d59e8420cbf44f411fce08e02dc60ff5d

SHA256
3078143894594c3064a8afd2989b3354f280abd63f0ede61f6892793c3875046

SHA512
e06c5e10feed9f06988b13d6872ed0d18572f70df5d6a74c52da43ed414e53c6779d68c7bd015577c58b245d63407d3124e67fd98f1f25da189366a73e36fd23

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
cddad7a30454a1043217cfdb9ced0767

SHA1
02d2af8392c1162e7c5691c770fd8dd2aae02053

SHA256
50e5c881fc0976f6d2e9561c0ae847cfe459fe33750a63f912674b60df248207

SHA512
aae274d7cefd08fa23bfa58d6ed6d649c907e4a11c240fab226569aa6c2813a6462016bde9ae54a5da904e71cfcad57ee637a5ece673bc78fe23a38e77604f86

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e729da4e0a9b2dc775d3ba7d9e8bb1fe

SHA1
a45d539d3b00cc6190fd3b7e3568b2859eea4000

SHA256
5bed253538b5d632208b0cdf6b1eddf8195e969e257fe4a207bcdf58f909af41

SHA512
2e7189ebbefa85d4bb2916f71333cf065cbbced3d25fadb8ef7fc3c6d0b50b2dd7083bd358e7c6b62c74239158ab9dc6761197e6d8049fc340ac00b9dc1d0ef2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
76f7b74b8bd112b0a8aee9d331d5a191

SHA1
cd5c97cec8b9c3c5246add29d239b3fcb2954c8e

SHA256
d975c7743095bfbe7b42c0e22343fee08080a1aa76b0d50648e94e45432613a5

SHA512
4d91529ace1a1946f8dcb014c0b824fb1c6060432d171a1212abe9bfcf4beeb102923391e6035b4e89c5792f6f0e96ff940ecc1fdf488533333eee97703cb0f8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1f7b4d527267bb60c3e38d715005c1c5

SHA1
1096bf20e946695e9a6cc634903dfc7009fbb6f3

SHA256
3040b88bb1cd7da2e3cde669769fd87ff44783d17bf6d5bbd25ed7b6464172b3

SHA512
3ef61f6f54990dc067c010184318733513325543e693f894246196a8dd498319bc724b2b6d5861f40f66af7d157d461216a6f6331d94b465ea46ad38e097ffe7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
010b3636bbd8dd5b3788668561e13fa2

SHA1
3c62330efd740b8529489fcd0886b2e97d8c16ed

SHA256
914cc21fc76722885ffdaa4026dc04b3d0adfea4c839665e8172f0af5be7797a

SHA512
a8ecff27b7fe623add82d9e876ca0984a89706be25793a6c498d4f054272de3c540c44077b8f3cd335b724186301b716931e9707de9c2a9bacc6329965faa077

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9226317681957b329e91cb081bdf4f4a

SHA1
7732ff502b49a30e05962547293a78fb54aafcc6

SHA256
8aed44b5ac32290b11d9a378852ecaa8e2b4292daa325367689d4ddb1ea1adae

SHA512
32bbceb95a3bbc76870129bfe4208ee5bea45db1ebcdb85e01ffde076ee5adfb78e882f4788641d272b87696d3a132916950f1ebd15e5b83eaf83b6d4d5c3314

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5f72d1e83cf058b53e25a54e2fe025e6

SHA1
a96287ea923f4d73fddd5b3095ea3036e6d584d7

SHA256
9b9d96f970b59fdf7f0b79196a6830c7f05e1b5ea8487956a2a11575506ddb17

SHA512
3c0b5cf8d83092da0361c27f158ba2e637660f03495ca973714edc2745f089834cee2a1f46bb0d2fbc9f4c2aa716133c5b103da4669e14ed45ccd1aefc0280f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2859259fef4790b649e71e6eda1d6ba1

SHA1
a893301851ddd8a4b91864ed23bbb00c8b799a94

SHA256
b932a6a8b980b2bbc152c0c6c0b94246c2ba29fe223b22f4d0dd50350b9e846f

SHA512
feba1b71234efbe3570401c0456e8794b647e1c23c644435418f286c8de14f42d43f5692380e342f1029093c7646b3adde5ceb4336fb5a61f76ef328a1d0c2ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5bc2841d7688008070592505816971a0

SHA1
1556a1ecb6cc5727eb621ca89cb3f8ce853d58a3

SHA256
79aa2d968d157d6ca57e756324c90e0d5ab33bc651c6fd6954fd04ce33fb2708

SHA512
dbc4abe9b76568344cb6e99642b2ea74f672ca55416c66abe9e0297670633578a1271aa8c6d48973bdeb2476ef6086b231ce51b90014e70fadc0c28d3afdb3ac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
890b69be4d5af221bccca862c2c2f015

SHA1
8ee19a14e4756a4a4f7cbc74eeec6263974b91d9

SHA256
452d9f56e69426ba399bb8fbdde451343695b140298b81e91d1c165de7402b34

SHA512
62adcf1317013698a51bac5152a22e29f7dc660855fb7fbf01f2eec81b9e5d6159588545ea19d36e4ff769370c1390218bde5902df0c86cbb07208a49457d13e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
77c86b785ef43971e56f17093c773f1d

SHA1
5c040d29f3157bdb3c6e09678d887a6e19ed588c

SHA256
99edf616e6067d703b8b03c325baaff086c3f68061ae1489d232648f4df69a09

SHA512
11f306e59e478c4dd64e9312aa0cb44f606046ec4487d8c70f8d2be082a60079dd2684daa3e22bfd025fa72af97f9b605160f8d7de215d654814e2f9081172cc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
392db38dd89808032942b67defc035f5

SHA1
fa315a75ab94b36ce4665d5b8ef7ec683aad0933

SHA256
616e2efd12845b6c17a24804bd24dcbfac1cf12c137ed82a994dc25f33d107c4

SHA512
d3aa7df539fb3587437a5949ae6ed0c1efa2412517e8b3cb12720d992fa5891e51bee3ad52f629267e0bad35bf2e421a020aad236d921b92a8a1d2b057688d8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
182d3fff2bd1ebaaed961101a5450aa5

SHA1
50990b7873e4a74e288e340e3419080ff17f0980

SHA256
f162011cfaf554cea7cc6a33e76e567e028857a36050aaa8679fbc1bb9b9b033

SHA512
e5c785343347ff99c056948efe2f7db8fbe5455899ca672e0965756a5b47af34c205ca5e833ed5621e382ff927408f7ebe528629b71c05133efa8a8d5a13c75c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2c0ce35db5e5eddd72535f18a863fd4a

SHA1
8010e95e8bf9d0a6b52f523f90945026a80a2b6d

SHA256
836e9b20743d066954d29966bb3436d409a59bef2ca0fb77796b37d56d112ba2

SHA512
22cef57d2a3ac4bf777566c8bc911755a998efa7fd05431853f89e8e430d1c5b9375c6279f0563ed685161ace703a2bac85921dc283c143f62699d3a48d660ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
49a0959be242a8b675fd70bb8ac4eb91

SHA1
ec07c489b600acfb17a84e36ca3e40b0c5d7d795

SHA256
05740b198809d5d633996bd5d3ef08988698df03e0e93856572e651e4c666f72

SHA512
1a9c208cae11af0f35412b22160f92260f5b6bdbe18af1f33f2742a16ea1c5c47733e31b410cf76d530770d7210e15b5ef83db4af51c1ca440af1052dbd6552f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9905f545b8af05ad65aafebce69c1a0d

SHA1
c7a2358dd7cb541960fda34ac7df8e68cb06ed35

SHA256
c9de184975883353d4d854fa55b722b63ddbf300ac983d181a5f938f46cde35b

SHA512
9fe8db23de5efc2c40a0ecd80867e083102673fdc3b6066bf273ee7df5cb5daf95457a346380380fa6e4a0d63212c324631bccbfdac5e4c5aa00ef514d9fa4af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
db1bb7ed421b59e69303d7bccf46d607

SHA1
29a57c11238a4d7859be7641cbe1ea1028420583

SHA256
1d06600c8c377a412225dc786a0f6cee56ab6aea8f8ebfdf9a86e76ccbc9c802

SHA512
f07d99b31c6d9ced0879828083b6cd8807106b7ec344cec42d4583739314ebaa9053413320726c1002c12ab77f2c8ce340e4dc3bdf1bbd3202ea791dfa71c577

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c2d30228f1b1466d64379fc3e847b278

SHA1
79b2410bad55842a75b0ec54a741cbb16c49c473

SHA256
37a474a770d22924023e23bace1076ddf876f977f5d30057ad79c2275e4b5078

SHA512
e522cfe3faf6956ce77d62f4db6d981bc0a8de603d43ca690fa901f14fe94d1721a39403016156e3c3fe727271c8a5b11a71b04ea46a505814b1299fc599de6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
1cdee5093ed9216b8239a2a305f202e5

SHA1
98b7cdf8de1710e1592ece85f17b1495e789c929

SHA256
db17fdfd1953de2fd341c8d4fb7d6916e58dfaccf5dacf1fddebaabfdfb7e67c

SHA512
01b0ad316e9023946f228437f1d3a6b3d743ad5b88d1fc949a1f5f6a052c021244c08a04cc1c29b69a5714cba081d982db2417fe87cd960599e64aeb91636f03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c889236637167ba34a13c7f8547240db

SHA1
9e8d77fa889c5ebe6fba2803cf6e4a8e9fbc51f1

SHA256
e04db6f3c66cf1e76c7709e3519da4e0a4248f7bc74eb957a98e4fee8e34b277

SHA512
7b0add1b44516482fdacd50eb97b0c9aebc6a5a5b798f9ab2e6f25f1ab51c0684c86a1141cb266a61eff2b00053978b59f494e839af1ee1e9cead69a6df7d3b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2ec44104dd8836ec1e2c4e44c9ce61bb

SHA1
44412e34c44f45465f63e543d636915f7836c1ab

SHA256
8f5a5b2dce4fc52ed95f09c60e4c4276a56bd4218f92369e9f9fe9d56fde02e2

SHA512
43dab3041b159284c496adf7704cf980f7312e7a541362f0d66cf1a7c836565a01037eb262ae4519b0dfc1383c630eb12e286f0176ec56c64018caa557edd663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
387fb63d72c89130a4a38c160a6e3751

SHA1
6e805e384bb5326f9bc660887b7469361aa00d95

SHA256
4e5643010e36445be7271beddb626a9973a1c072fa4c9626099b896a897fb7c1

SHA512
03c569a019e0ea4992b497caf9983228b2a9d600f2d1a47bf2ac25266399e039c3511e792b350ba968aad263f05895fbf9fdb24d063b99de98a303ba76e5ef17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e5386705e44a76b30d61693ed3aa5bb1

SHA1
8d994a7e1d6a8b42f04f0b358f86d1fffb94d4bb

SHA256
48e046fa446b52d03992e20812d7812dee0e2fc3a1460df0d08ef1d13e721aad

SHA512
2aff6d5069853a72fd93d23d371469eab6e2b82ec5b67f032d275105da47505b5763a2bc501fdf054cc0ee0e83f92c0b158686ce29c195284e8a703c5d468d29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
979ca1c3c66a7783e99dec5f0b49de58

SHA1
5b3ee2efe9f89b7005adf9bacbf733375a581944

SHA256
4fc9cbe6fe2956262a23290b1999a5b713fda02b468063a734f63bb15aa89251

SHA512
c43a560ebfc7b9c2e25f871fbc9b3f703a1a11e08407f59579b724ccebe076766f30bbe971006d4cc64b8493c8d17d04017cab63439a1549c2b0810fa627238a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
26528ee42c38e58f2a949e81f4a9a3ff

SHA1
8600c47b6e15f4775ba9bee401be5cde79376306

SHA256
50c193a46011435b0ad6e029f3c9769e32b5cf51091b67b6f5323b5032d3147b

SHA512
c9d49d35ae29e7e54a4eb3684af8c417759644d4b3ff63b84bc98cdc6914ce898cabbe409f73b25c19518976e45119cf35989dda0c2a7f38e81ebbdb91c9eb50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6ec3e285b73459630ac9bc97aa5ddfed

SHA1
deeec6bc9cbd8f56a7b7b38469b63394dca41ca1

SHA256
d6c8157324d3fe3c420c7e83657304fd68df244d37a468b44e8818dfee6f8265

SHA512
49a9310b59b9fbc92d1becf81c06492bae2287f3f8e3fa0788594e8d525d118dd52e99fb5c9582c1ba945457447dab7c896b6b6a8d573a14087ba420d61d2762

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c14f230c2fd29a7863ebd88e72e26f4d

SHA1
cbf9c6ff3b9187644d073b6555648e5f39ce2807

SHA256
de8b8e35715db778a10f79f95e580425e39a2e339cb347e332b4c822d54db072

SHA512
b210634e398d59469b6305d5f0fd7d32b948616ef58784aee90402bcfd74ee8937700a54e044d783c160d8d56edd5661e952da28ad57ad51922d8c9498f14557

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
bc166f1d6f340358f5c98aee2f600106

SHA1
cd5451451293efbd3f73646fcaa6c9c877628870

SHA256
2fc22347072dba700ba93c797b270df5d29d2bfdb86bca2657720c21d9cbcaf0

SHA512
66fc1887aea963cde5f968da9a7532cac8a177267b62621fcfa3979ab8a09f22b4e9c5f0602f1075b805449a1d103b9966ae44eeb1d24c1bd91027d2b2bd6008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
913e060146c28cf5a29c38cdfa0a8a24

SHA1
09b08f36942334457a39c3cae192fe5e23047e8c

SHA256
92e671ad4ca5db3d86278aaf0dcdd892b8513e9999b1b9b49f392263bf01f6ef

SHA512
8e0d121d80a76eb3b6e4ea8ccb0142bdd05f906dd468d9e732a1efe87baa4b0a4a00afb92c4285d18ce51b2dea6472a6c128cdc3c62990fc14a6c7e6eaf4b345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
cb4688dead7465d7c43a2ec5d7da556d

SHA1
f623eafaa59a22effcf7afa9cc02b9751705edb0

SHA256
800d9d3fd639605d1711807ea77aa50cb5e9d876d5a665a190da976a55bae597

SHA512
896824dc11f47455e381b0e40a2d0ed24d25278f91b4edcd7460d2474f671d5bd25681533b389eda4004f7ec4a3c01c053de6a9ec102336673221d4dd4b1267a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
382b8c8526adee102ea901d559573e59

SHA1
f7953541f03414c0379b0df084dd328d140895be

SHA256
da0caaf976385d96f3688b1ff1319252de067cff248438f25238cef2f632346a

SHA512
cf8f0253811c0bb787ed2bd9f4d5800be7058ab496b2c72d6f6deb52dfef7c440fc5d7ac11a8c76f5f7ba91e37b85956756ff7d447a3347602cd8b0e9a227f21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
44b050aea0bfc82062577b6303b57b20

SHA1
a0e047f801d0102588a1b77ae18a00ae100855a4

SHA256
be4f8d5267c1138af5e2c048d2156ffa4532dc456b31e300567a7641a7b8b1ce

SHA512
773b4cb5bd1f5b886655a5084ba2ee7c6ebb043b4167daa62c52379a195e415c801c7858e850080f007e336b6353fb4f3b9fb1def312c7b516a797ac96cfc2b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5581789eadaca56c63ef8fbede8b0200

SHA1
f63f3258f09988300a3699044fa64f39f081f7e4

SHA256
fa89b0d6cebfca37371eb64a79e206bed4d373eef98a94fd4539de104c23c99b

SHA512
1f843683c68bf5cdfa3901226d7629cc2ce597534ae34a284d5c6df37020f0821906ff52535b25e5e46726a08b00718eab790b22db021718f3840d58b458b7af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
7532ef6621869a60bb625078c34697a2

SHA1
275e821bd8d4622aebf211927b116fd07aa7e5a7

SHA256
9630e72ba36219c2caba7af2a449e04aff01c8cae7584fae0fad4220648633b4

SHA512
80ff2f5c32c8526ea3096835100489e7129d5c7795f89c0b6e4300de3dde11cd470fdfa051e1027994d4a0ae52609ae68178b3d5ec98617546cb47a2f77b35c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ba75d42974cbc145d7296072ce6edd5f

SHA1
f7de595b41e04d6fb5e617d1fcf71b3b3280e986

SHA256
ea562fae65f1fd4abe4d90b8b922efcc2e2a13c314c53b7877d92e1b7299063c

SHA512
91d048055b42a4593821d5b0879145656734e9603d4efc458b385588caf0df4fe33cb366788a8bd681a4a53d54204d8893ff189347b6d404f7618e7954acf1e3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f51fcf5985015a5f2d5eb92d35cc75c5

SHA1
ed0176909a2d105ffdf12c30e4ae9631311cb381

SHA256
9d927d5258a936bea2b5501f5eb163b929a3e74e0f2051b4bd6c892392518629

SHA512
d5e99f6afdc03a9d359258c24820ea1e0c1ecce944a9aa925ec58109749e6e173983087cb7324a87c598eb71252c225610e5fb13e9e797a8c44ff6951aa5ea15

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
77e9945e0da5765831bdc6cb980b58af

SHA1
d335bd6ee0292c22cc2a23fb159a6719decf7c99

SHA256
fa4b3575cf0fbce9f26c5688936fb2adb9d90407706f4791130aea5104ad6590

SHA512
0f143469770bf61181a0d65a670aa24dac7959673967b3520e478570a5306b71f040f51f89d3517994d4453702f700ad32f7b1235c0fbc9b2da20b7b4aee3a4c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c46fb5cf1bdcde1bbc2af93d567f7a0a

SHA1
88d8a9190d33985710809e0642278f90609a26a8

SHA256
71acec5ba121aeef244bdcee8f1101ccca1e3b76fda6bf504d6799d0ca9e1f0a

SHA512
996136ab65f787dec890be5b98a4c58efc1e1b0b8a71e8488912e38cab6320f248ec8d813d842384267e53d8f4255746ccf001a9dc1ed0734f9df10dae6057da

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8f4e1b372e96cb340491d1f283f7d697

SHA1
8389d058bd5de8872df955c78ff23bf5d25d89f1

SHA256
53944837ca91ed9169d23bba7d61b2332559682993604dc193c5e1db5a86cfe1

SHA512
01e29649be0f1f771976dffb7cbc19cc9353e8631198bcd31934e744a745cee617391e73eb02b3574afe7b52205766a36711205e7776598e3f13c79ce5a8aeeb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
5ddd2368ffb3111df456262dda6d18fb

SHA1
2af4ffad99aefdbc5ae5b1fc1b2d7515130fe909

SHA256
f53da7c51aba9fe72c65777217a4e9ab986eef2ffb808796b8d70552c046b04d

SHA512
955dce894ca7d2b332c157bceb35770d22efa858cd70ca9e025606ed181f926a7257152d162175f3799cf1c545278ece45c3f76bd70e98db7b0469fede7f3ce0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a2668b0c127ef894dbdef13b95ce6444

SHA1
d37ea4b1c71626e8f598eed20dbd4e17ce18f263

SHA256
1f9c0c704adcb381a11fc1a057eac4d331753346022a37bcc6f0c3ce7e3c4060

SHA512
2a44f30b8ec7a72a2eb26fa14610c01ab0e6064d50d6b4af251cdf57ed9948bf6d076800252c7c92ed9f65a4e4284b492385f0595f830d745844d65c6b673aa7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0b787e7c4cb35f50e30410354eb7bb2b

SHA1
52554aac8670cff7e45f2e4f57d40c602c41c8c2

SHA256
becc7dc3ebf50d4cab2d4bf5f04e4f31cc3789b69866986da010ddc46c7fe503

SHA512
626591feb4d580971845e237b26b1c01ffb8b7fecdbe20fa96a710254d46aaf3cc7fca346c9b89e77307adcc35b05c0e5247a3e14b847895ee61798faa2db8f7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
252762d7bbb84835545b06e3df6ac26d

SHA1
10a7ce55a13fd09a9c5083e825b2e738c39f472e

SHA256
11f6cf918cad1bd08a8a54215b3a5167da2c23ec8c7b2c6e84aa97ebc5da5256

SHA512
edc8c37e1f1472053fe3c78fad3ea08612f2219e8d1e740d8edb85130a9de30acf7affad861d2dbd2fd706c3bf505a9da95e2372029bbd44e40437f63eb4161c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
324f58e9f9aac6cd0114fbf1949ad68b

SHA1
2b7ef48e2520ad05f9f6a6351e0c0fa5f7a3563f

SHA256
d0dd90e1100c3571d5a2e5c08a7c5066815ceff29d01ae9f967431f2ddf05614

SHA512
1a98c01304c54686995cc06ae556f8334ac592ec67c1c5e907982c8ba8b0f619f320a033c25801a6ab601847899d3b6e0d123177cbb727b778ae21b0d7fef9a7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ca01197de7cc0f5452d4630b3d175407

SHA1
13926f6692a8cb30a3fdf084238e4a30c73c907b

SHA256
fb60e00ac156e8ba2fe6fa52a55540449c77d7dddf1d2717da9804d1c62ab32d

SHA512
d2b6fb8c2b722252ad720338b074b71ee57142229b266849d40dee104919494b8e0562ada4b6c3f15b56a6c29713b54015cee80eb35086d80639ec500c600168

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e4b437bd8050faf3393c444c73a172bc

SHA1
c576dbf7c9a1d0a26e77b7846fde3b3015cdd3f7

SHA256
ff00b451c4a44c511f11a68d10ccb0395d565b145c57638ac9d28398c63457cf

SHA512
165a57f34a745404242a0d8d1227219c29a14b073580c8d21398c5b0790ead2495beb2fb0bb25ee4024e2091d969513d2129a046e8de04ac08068c40faf8fc53

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a4a30c5c776e67ea22c190ea61975d00

SHA1
43fcabdd012dcb7c3bfb78635b465b834f089e89

SHA256
718ecc39e0cd3588bfd3e0cc6b6cfa46682ffcc88c23af77773ec3369d663703

SHA512
dad977a9c3949d87d7426aed6fc324f1fceee69e223938a38f600c2f904a182f25450ec6db7e167b8cd35fbc09a219869e47460db8bcb81721308e2827b13cf1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1528636d4b0c3051cd9b4bbde647cd7b

SHA1
4cc169ef169eb9500b87fcab98cd245977f60d72

SHA256
e10ebd1a9444947df36cad52ff1c35790021b624625ee48b47de83987609c9d0

SHA512
aebf013e2c225378acc84616b2fbde17ed19f5e7a5ade172a8af89e8ef40fae67abd4446f6dbabc86313215c5450557063dca341cc3df15073d809514e57a0d4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ccf31b1d2ae4a6072c72076c529b3618

SHA1
86c5872ec6bd897743759673cc7c4de8bfd85518

SHA256
aa3f9ada7a904c1688e677969dd868d6cc2fcfa8f623eb2fcb10309074b7c564

SHA512
b8f67ba20d364ffc611738eaa9b55015f4fc34315a1e8413cdfe2ce77d7f1f4b8bdedd72443c406dbfc4628ce093e0f0bfa916d08987efb1e9dc9226c77cc2cf

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
e187c07394006634e8101b689e171965

SHA1
8b6f930329ef96990aed27ab8dfc1c9034edc8d4

SHA256
c731e32146fdb083d1061d60ec7f4320d0a9fd1970672fa813b9f181ce4bf51c

SHA512
672b856c1bed268fe1c69af96502eb1688b1743afe50a1a5432e138cf1071af85333c08a9cf7fc2a3160700619e2d5784f11d9557f18c293fb2a234d789688d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b776d94943747b96524bab509ee33298

SHA1
5213f4c0ece034ef565f5a3aff6d730504e146bc

SHA256
5e50e0eeaff1ec40142ca2d65e806a32b3696df869d181fd4bc89ab589adade9

SHA512
b5831fbb41a3a788fdcb0f0bb90cd17c8f2f39ce0cd184e206775d38844e52888e4f0d0861f6f4c227a3685f7758a7a12ee950e2eaddaa312a021a68080cfb42

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
36a897de51af93a2460408b03bc4c962

SHA1
5c6e2315c65f7622091c90983e0d020eaf3a2049

SHA256
4355e9f07e11085de04fb38558e328cacaf17349aec47a62013eba17e23d2bd8

SHA512
3f6054e2f96d4f6f072133c28c413c865147d8ecc768bd1c0abd6919aa7458b7045545af7a6354bb00188f79f85d969395ac169fee840dff2452980a62c5bbed

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6fa34d9af20fabef85b8a8d397092053

SHA1
e507758081aa2dabd80c973b1c44d9d0cdb1baf1

SHA256
8f22edacc3c22b0ad3b3ca94d7b2c73506fc4b2c2b1668cbbd89ce0ae7a7ef78

SHA512
d07908bf006684513c7d1a824b37bf91cfda5565f8721e71880eb77db4701d8c5be884971c958f68954846d3b3b11c2e53defc3f56c8d2f7d83da184e8e96f98

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
35d11024596950a38fae865b355169e6

SHA1
4f7a50ce4fbd86cc9cffba4bde1733a676989153

SHA256
f00e06dcb9602fe6182d6199a5795573948b23415bd6e60c7bc4466f922481c7

SHA512
2f974f2f8e177aba00feec3452add72e6544c26b5e7de890cb6a7b249717f2f9c062738ac6081f0ca28823591097546f582a7db35c267be5a2046fef2e9c9a25

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
28a47bac2b84f598f560baaa771364ba

SHA1
adca41d870df1a1821a5b2d4744935a357df69ec

SHA256
df39ada05510a90c0562a771c68299901a5aa3c1c0305ac6771955d12c85bf9b

SHA512
7f94784d7d9ba0ecabc0f15e77831332a46a84abcfc60812dba07d825783f4ad591dbe2b7007281fa69136c879836ef3124fb402941a7a22e7cf04155ed8c6a2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f9459e7808119a3318c6385c6f4743e2

SHA1
6a38254e4684bd95ffb52d67d743390f21af7b15

SHA256
333884556da92a54785f2d9087f35bfca41d594e8b4e9c7abae33103e2deba69

SHA512
cf3bddc0cfe9ea2907c2a0eb59115cd2b9eb9fb176998bbe606423bc8d983983e2685be3227d6d9b7d82243b1a93db451c183b1d967d867587de35b870860701

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
56ef1102debb108beec44a308bb7e8cd

SHA1
eb8b3f7b34969d946f5fd410eacd90edde8fc50e

SHA256
c2444e5a809c8c69ac644b7be33dc9a19587f49d8beda4bb2e62ff937e3a4229

SHA512
d6ad800cfa9c370a98462814824437ccec74c5ee7869b418edc70170c11bfa9bb2729e54949249c5bd7d94188b8f4d63cead331192eff91e62459f9b2a6a344f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
12d6cb5cd5801a839a7a5e81cd86ec00

SHA1
0a4455f5c53afe85dfce6f7d582588e6d5a2f102

SHA256
79e272e150986acac81c7ce90d36ee51551e6bc1de84c2fae720284b250a0188

SHA512
6ec26eec2d58d15febd2e6e6c7c3802a144f40e6dbb8800db8627d7be7bb35be09998002c0b7348e82d50abe297d46b6fb74c9ee72dbd705c32e91c05734bdf3

Download Submit
memory/512-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/512-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/512-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/512-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/544-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/544-336-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/544-278-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/884-118-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/884-190-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/884-125-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/884-126-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/884-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1048-309-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1048-296-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1048-303-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1048-307-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2140-359-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2140-351-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2452-371-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2452-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2736-215-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2736-281-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2736-223-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2740-1-0x00000000024A0000-0x0000000002506000-memory.dmp

Filesize
408KB

Download
memory/2740-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2740-131-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2740-6-0x00000000024A0000-0x0000000002506000-memory.dmp

Filesize
408KB

Download
memory/2740-619-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3068-192-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3068-199-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3068-254-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3352-171-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3352-161-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3352-162-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3352-227-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3400-211-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/3400-267-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3400-204-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3432-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3432-290-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3432-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3508-242-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3508-250-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3508-311-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3592-262-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3592-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3592-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3600-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3600-105-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3600-111-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3600-114-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3600-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3652-333-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3652-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3712-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3712-346-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3768-143-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3768-158-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3768-146-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3768-152-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3768-156-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4152-93-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4152-92-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4152-100-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4152-160-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4448-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4448-86-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4448-144-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4448-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4580-176-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4580-187-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4580-240-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4716-319-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4716-313-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4716-675-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5104-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5104-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5104-236-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download