aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
Size

1.9MB
MD5

c9ea0b3f88a068e7b2f48c146ca67ace
SHA1

1a63abd989f529657d155ea1260f4c3651ec69c6
SHA256

aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49
SHA512

7f0198f8d839c8ebba13a5b41febd35805021efa3ee9adae054ea59f81e00060207536f4e1c896bcd8bd1d856a7ed8f64f891ccedc6aaad155b00eefcc360fd8
SSDEEP

24576:OwyjcbxnxofN2w47maVe6FPiFrrZ22jC68eXwAvwqcUIfEQ7p08S8:OwSQxnxc27KFiPMRlF8eXfvwlK8S8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3344	alg.exe
1772	DiagnosticsHub.StandardCollector.Service.exe
2912	fxssvc.exe
2124	elevation_service.exe
2428	elevation_service.exe
2384	maintenanceservice.exe
3404	msdtc.exe
4532	OSE.EXE
4928	PerceptionSimulationService.exe
1948	perfhost.exe
4148	locator.exe
1912	SensorDataService.exe
3932	snmptrap.exe
2788	spectrum.exe
3176	ssh-agent.exe
4664	TieringEngineService.exe
3104	AgentService.exe
2892	vds.exe
4120	vssvc.exe
628	wbengine.exe
5016	WmiApSrv.exe
3008	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\spectrum.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd659214234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\System32\vds.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\AgentService.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008403e716009dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfd5b515009dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b52d616009dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bdfa116009dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bdfa116009dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000412dcf16009dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbdbdf16009dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eba0e416009dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027fdbc15009dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1772	DiagnosticsHub.StandardCollector.Service.exe
1772	DiagnosticsHub.StandardCollector.Service.exe
1772	DiagnosticsHub.StandardCollector.Service.exe
1772	DiagnosticsHub.StandardCollector.Service.exe
1772	DiagnosticsHub.StandardCollector.Service.exe
1772	DiagnosticsHub.StandardCollector.Service.exe
1772	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1096	aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
Token: SeAuditPrivilege	2912	fxssvc.exe
Token: SeRestorePrivilege	4664	TieringEngineService.exe
Token: SeManageVolumePrivilege	4664	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3104	AgentService.exe
Token: SeBackupPrivilege	4120	vssvc.exe
Token: SeRestorePrivilege	4120	vssvc.exe
Token: SeAuditPrivilege	4120	vssvc.exe
Token: SeBackupPrivilege	628	wbengine.exe
Token: SeRestorePrivilege	628	wbengine.exe
Token: SeSecurityPrivilege	628	wbengine.exe
Token: 33	3008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeDebugPrivilege	3344	alg.exe
Token: SeDebugPrivilege	3344	alg.exe
Token: SeDebugPrivilege	3344	alg.exe
Token: SeDebugPrivilege	1772	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2640	3008	SearchIndexer.exe	110
PID 3008 wrote to memory of 2640	3008	SearchIndexer.exe	110
PID 3008 wrote to memory of 2460	3008	SearchIndexer.exe	111
PID 3008 wrote to memory of 2460	3008	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe
"C:\Users\Admin\AppData\Local\Temp\aea66451be73e34da23aa28f17711b44fceb4f7896b9afc880bb216cd2d18d49.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2788

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:112

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2640
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7a74ed06370b5ddae8cb49cc6d1466ec

SHA1
496337aa50c36b0cf3c7a112c697083c7eb9a9a5

SHA256
723a1a661d179305db5f14732703d263471c40fb379964ea525f5b18dd1cea1c

SHA512
ef22a9f89d2f4bcdb7c8b33f9f641f9495aaacc26a66841d42cf0b31f2f3b4878155951f5b569337041cbfb442bef78c8a4dfb695d4812c8499cdce62670ce1b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
fd3b0f3c441342bccd1f735d6066e71f

SHA1
becd94ec482afeb5798eb712321df89eba579c9f

SHA256
f3d5898082954e9ea8fc807a21d207491e44220ba53194ec306927e129fccfaa

SHA512
bee38b99ba6ea94789271d6ce9fda9d093959d2df29ff552d1a3cf0fbb44d17c0e7ba4977ed86d88835548cd0a4cd34b5cb0bde4268765248dcceef9bec07c77

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
5bf5306b4e07c9ce322a1cf03d023155

SHA1
4b79b1d0c1567d1fc35fb0ad47ef29c82e3ae1dd

SHA256
a334b2332bb5b9a9349125a26bbaebd7f5928f2b38fb962cb5d03c2f0b9bbdfe

SHA512
9ad76bdd3c2864e8e3f3a3c36dca8a5efc539a11124d35ed3a58d61cfc43331534c8d40d2cb6771438433587d8465ca7a6330771cc346e7aa763781a2782819e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8ee7830003639f8de46a5ec925058010

SHA1
82152a8076d61b4972b5fd26e71bf95ccd861e9a

SHA256
b540f617d4ed0b956f9b250f4ddc35f954d714df9c23f12c59476f7111838e65

SHA512
683625d1468d01fcebd5a64dfe234c945f969d8ef2209fa7b88e5b96e98e9c70cc3b77d88063f734672e2060ab25f807c167eda44925cead0307eb786f53b193

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f060360301cdeb933908e8fe9d2534f6

SHA1
dc99a8aca9e306f71f44154c363ba93887c9ca9b

SHA256
4a8c974f8fef8d72de4d0890e15a5bf71f17ccf237de05892d260affca4aad56

SHA512
78989d5ce27eca787306163ef0d0a9c23a38841d053a18958decf9ce36ed43dd665caaae6b1baca0fc0075a7cb995a6211946a68fede58bab8f018fbccf73d8b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fb7180deaf3ff6afa8e8fad01e973d6e

SHA1
8b8c82928b95351b449b9c559f025da89e530c38

SHA256
996bc6c127333ae2fd602d3818787c3d827afc5ffe36afc408bd7e313cf8900e

SHA512
103527cec914c20f8fc9eefd50d7e129449626a94adc21422973c7dade8a73b364ee337ec7fa21a9e46b0a169b502f8e9961d1ffcf631209bbdefb5fcf5ea1fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a6259eb6082bef474a081d95e304de1a

SHA1
18d2fc0b4abbe0d78cfbddd2ae7112a2166be918

SHA256
0a81d8084dc1bbf2dec401eecbb03b3bc91e02d961bea82b964ecd358439e1e1

SHA512
c931f1ed6162651d8bd5ad905a1bbebdd0a11a9ec8fd3052d25ed08b1800a6563337b82a7c4bade7998e55a145b9aa9c6e1615417f134235ca54bf4218ad3fbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
377fffe14b42054c55e7a326811c665c

SHA1
4794ed27b880e0ee36d3f3489c4f510a61f7e405

SHA256
23c1dcdd08d80590d6111c1a837ffa035ccafe525c0f5aadd311bc9f74908c6c

SHA512
373e00dbae82274f33c40758778b7d93df733b74af54dfd4995170a0a486b50401fd61ccff5232c6904aff49c5160071d08249d5f4cb124bd3f60584c744e0fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
8af62e0f8f2d4dd42af75457a36ba017

SHA1
9cb9a0a1f9738f132e53aa439045d7873e2edefb

SHA256
11a9ca229b5314ca3233a5c19e92315dd1fb4b1a6a4416850d5ffecb2d1ada7e

SHA512
b64ecfa0e40472b68e8861b46e034b606312ff127e97ddca16c44c5321df4c56d8a8733ca3c3bc500d87b4c532240bb8ce7ae5054018653914e99ffae031ff3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9855a7e647812b442ccd4c6385c5bd7d

SHA1
ff6c870185154f344d28bb76683782096895e6bf

SHA256
0702b38bc13358a3a3d6a88aaffec10cc7cc4d9b17df5db71718ebb0b30f5f99

SHA512
9edebcff1663cd4189ef12d4212c3d332c10ec05ad2893bf4018644d0209eaac4384400337c5486556d898c00821ee29a8182d1c8c841f79a5bdaae7085b1c43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
23c189e1e14428d0654f2be0317e63b6

SHA1
d8e21353739e5a58c7ed953033d82219d7c48455

SHA256
25dac41400ec03f63101e78537cfc403c1e04bdcea95cd0c845fb5bb6aa49061

SHA512
404ab3aec91363e5c38dae10ce7831be8b2b8638193eaca6ca40c554d4440d7442163b4de2319e6db2bc463a9cddd5dc32722bc9ee80b9b4f5132aab5ccdfc73

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c2188002f967d6c7fe6bc17e92b0cd43

SHA1
5653ca6f2c5dca11005c9af382e8ba97233cb8bb

SHA256
2abb6a480b69b93fab54250dbe52f6e9e4fdf9a5d36ece29350cb7348a0ed13c

SHA512
1e1a916f8f1450d79e956f50ccd4afc486cad2b9b9384d0dbee03f5a3ae2769192c4185e9272029a75d423d0c93da932828b414569140409fd05c6984765a8d3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1a503213daf9f1ab15600c10cdb6aedb

SHA1
c501a74487c1b72b76b6cf4008ef71e2dd7e40cb

SHA256
c17286858a96a094ca241d94eb50af8983a566b06e5d9fc3501358ef43545b9e

SHA512
3208d15420ce0d51089817147badac66807f5a5c3b65af84445a5b566eb57767e03cac68ec9866f38896917cea745dc4548c33eef463f68ba5c2063420ee6d23

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
855beb8c24cee7997d117f67da1e734c

SHA1
5846bd4129ebad692bb298e9bee99ef4548c223e

SHA256
b9c81b6e75ce499508193aa7d373a4b6be8e1d9779f9fdc64c7bd50b70324e06

SHA512
d247e910fea157711b02b70afd43962eda40fa30a9ca9fba57f71bb290ba05d90195fe6bd4e26f7d4433ca24c187fd34e004afe20eeec9391b9872011f323968

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
936aa49f3c0e108718f66db98e03b837

SHA1
c697a943b504927a3c49f3e5a28c9b023a7e543f

SHA256
65b9b0411a481364b0c3c75dacc6a80641b6ca2658603c170d18f3054c79d84b

SHA512
380b94a7e6fe0ec4d3e0f1b294071f9e9305296db120bdab21c640b6efa6e16cccbf3339feda9fa7ca32f899b11feadb15f5b9ba5bcb052cd49069ee410b2fd1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
c3c9c9bf636c042d8c233ec4014b5dda

SHA1
a6a292dca60530871ff8107eaa0a14ad86d87126

SHA256
69b5d776ee88eaf984c8e7c6659b46a4c4eeab000a34a7ecf4cbee849c0fc996

SHA512
53f818edf35e2b10d6654072fb31e7a9fb8768597fb3df275db03ac09e5fc7ad0d99c629adb614b3415847273b6da427de33f6992cdcd3fa8d1bb5e803fd22da

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7af2c9399a6541ae9f53b2a29df5f275

SHA1
32ecbcffa18a283b8fa4b643e040826030a31564

SHA256
a40ed7979fc7a1c5612c61e47e0df9c0d044225e404bbdc1c461c1d7ceedf85b

SHA512
63e41862c55684ef4121398a835136aac2f024684851870164de4d8fcdbfaa5b75142fc42c0e1c08356e9b7d8be3db18068d2280a6522223b114deb5173aabd3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
1151619d51a99f00f1a0f551c384eaec

SHA1
a4523ac4c45b11cbb8a725fcec24c90502e818aa

SHA256
48773ba8f13c877d35d7affd7b7fbf9951e74bda27db5e3f41b0a53e62a964b9

SHA512
baf6a8782626b7554f8d76973685e086d64da414f0a03393501ca2e73b1d75d03cd748840355c1240cd93352e4be549d44edbf11f3e9bd5fd67ec032cc616a30

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
8de6c9d439f123f2839e330ff1bd6279

SHA1
3a50af955a6ee538bee647ca085d292aef791296

SHA256
ecf6368b802e64cc5f39a6238c106a5ebc5b35b1fb6992e529da645520bf0c49

SHA512
e6fb76d26d514a1f0be004aee112acebeb34bd9b8f3aa756f827cc748a17f116ed6b064feb4cbd1ef3998650a8e705eb23ad21b5fb980471998abd88e25a2677

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
d796a80fdf782c27dd41114d3a9ed9bb

SHA1
61ffc6e9f95959436049cb821c73feab27ddcdc4

SHA256
060877c0a6dc794fb9cfbd28b7554b1b7bf9189c778e184e008866cfab8759ec

SHA512
cce5aa40c8fc9230459a74396c6dd4c19ef8935574aa51c610860073a08a9678ddca300e5a4860a44b498459d7ceec8863776503fb7013e3589b196cb3a980e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
cd4f1da5382ffe09fdfdb070773f9d84

SHA1
fc2f41b441dd1ccc27feba83f539251d3d47676d

SHA256
db0837f8805e73aa3b80dd50219c4a75f12e1a0232744d9a999dda99d6e2232e

SHA512
03cb19420e50c532b11a89c5573d9b1b3c9306b2b6a710c0a97e5d3dd6687811263f0f10a11280b80b3b508da21a8ef6089eb90d865d43e7270f8c3b44b0d8ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
218b13c75f152b6bfe4a56eb8b51cb17

SHA1
ae7be23da31223bf72d033117057a3f6b2c81388

SHA256
dcd065fdf62fb849390475eb2d810aa47cfa85e4f7b905a0d6a84deeb593bd24

SHA512
923cdb72cd959b7ed2c9a7f4f97aae8428984479b75ef80d2e889ea89e26a1bd1d5fd90ae97755eee048ef9bc45ba2701ff150faf15b8d0853689f049446f0a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
31dcb582bf3b51a49db3dfd2da609da0

SHA1
d19d99ed88405d9672526a93105fb7cffc562a60

SHA256
16b9ad6d9c9a557f51a7b4a9027783990b866d1ce84e34b665c2f46b147d83e0

SHA512
4a769113fcffb94ceea70ad28aa296e945086a063e58ebbafb45029834de5e5ca8fa16ce705486c82b0d8a2f151315061bdc040d3782bfd53c982fed60e3cbd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
cfa0c19e7ddbaaa4d1ab3b65b304f70d

SHA1
60a57c702291bd9ddc184859f8ad34397ef45121

SHA256
b65946574d7452ed50d56aa27cf916cbfe8af4ad68329bdd70ee55953af59fad

SHA512
d4675ae76380d7b59dc2a09b9b08f035db250b3bc72d61c718410a609728d2f9ed809e0c0f69a7ba0f5a84d07a5a0778d48c7d88a7d0fa42f2996367ef567026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2fd333f2cfa4518ad0447e09c1eb6274

SHA1
9a485654cfca356c65e4ce04798ca3ec87939dc4

SHA256
7e147fb6997a3af2c7bf2e957e105705a55caa3da5c0fbc7cf1bd2d60cda7df2

SHA512
3f7f1bb8673363992fec58a797adf97e0224af4cde3c2a819ab1f38136b7c11c479f2941f3648eff72670c7d7bfaaa7d097e9e51967b8aeabdc394667c8427d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
105145c773c7d7ab57a943fc6537bb05

SHA1
f6c989b016339c6b821337e4f7870736875284b9

SHA256
aa53dbefc2434f784bf5a493a2365f2826ef54b986256489acd8b12b323c23bf

SHA512
f79dc3462def6b00ed3f58a8a486553a955a50ab1bb05116c3f8f519d21001309d3650c8f1fc3414ef95d4b5a09e36fa36ec8729d7d270fde7044f9b9b4c39d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
ff6cc317b1ac6ee74b2f831d07a5a1b6

SHA1
a34920c774e399844c7c4a490f2fadb645a77a1b

SHA256
835395160cf6389df16ca688fee42a52c05e70bbf4e8cb0dd7c41a73048e4892

SHA512
f006750d66f5ee8bd1527241d91a810dc941de6eec071dfe3bd19e42c5ce45a854e8fcd07459f279e89adad72481f992a5415e0593b44a6dce038055fd81cd8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
41a2814e5f2a4906f3908415ad429cb6

SHA1
d011ae34b72d49f1a52608298924cc37fec29c62

SHA256
5020e7f4f5aabd8b33887cdd3b968cbf9faef10b117a0ce7cdc190b94dce08fd

SHA512
769aa1ceb86690079282aab51fd3b81854aca5399d495fed2327275be81441106dd07024e61b26ff33f1aaf0b0fe73f240626fbe6eb3914acca1412ebc38c46b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
651cb3e8d429a08f614bc37538e1a07f

SHA1
a885141284c9496e215e0029e3ee7b0628eb0e38

SHA256
f8f56af7ec6ad9ac9f5e6997ee32e34e43a62d4fea9c9ef841e563ea3d666275

SHA512
0a032370f921c7062784e3ad202d827174d1cf8b2e474654ec3298c1bad5ebab2ce540137cd263f268e4c052920f2c9186495ac042a208654bf0fb52a570470c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
0914bc2f4f236d588af8a151a5a9dd18

SHA1
2f94381204f056002e6b4fda90b68d40b50e7a86

SHA256
137bc826be0939107099c43f468f8fe0cb0498e7afe64f2b3e6cdf9355f948b1

SHA512
f3921e99e2a6614508c42e80898d1a089867ec40b2f8f5e956d7631e83b56b6a19d16d2f64ca463b7aabde41b3f06a44a17d816a07fb3fa285ad986dadc0cba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
f5130b2043e776d0de9950dfd8996086

SHA1
5cfa01cf4e8f416a2b37c66833b05e66d7eddf99

SHA256
4c3270480d736decfb4a414e86bcd4f6ff2bf05636657bef605691ac90900473

SHA512
467cdcf5e14d1b935cb581f0b940ff099ec138e07c7bd77efb35a7a04482d0a40fd12f0d6f64a4442f5fd065474d52944939353aebc11d324ca33f10f633a8b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
3af02606941c51b9cf9c2ad77a10602d

SHA1
67dddb8a02a456fbbe7ea39c742d39f7b0b07685

SHA256
6976e496d032330fe2bfc98c4ae21c578a8298155d363ba22779a127922928f8

SHA512
5f1be5f9b04ebba99e1397bcbc24af39d4d03b70436422b3795b03d7cc82e689568c962103d3cc45bf4161570302b3690e64ebd8da76cfcff17492043ba8a1d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
55ce453b41adc70eab1c6e88903639f9

SHA1
f396d0b216e939f63d06847fdd15a234f11c8039

SHA256
e7925e1ef43fa0fcd321465056a445dce227601d7df53d9949faf245631c524e

SHA512
e6aae7ea4c5ba5a05df8c0f4a22bcceb2246506d74626a979c42cc449c9f843b27886fc78a28bb33fec6a4bbf2922ed3bd90260ce8e76a69fba848b0d414cc7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
4052931e62bdb88989f58c65087d0648

SHA1
a4e1e691167b5c40fe7b265a01cfbd18708ee510

SHA256
27c0254cb96287868a03500ee1c1313f0c272660506140e180f0c6de14f56867

SHA512
dc809c07d2ea327223c6cac87c54f322c33a63083ba74e7db170f8e2d6c2a97e35fc9b599246dcd3588bf10fe71ab4a9f726b798bdb8daf7f294ccdcb0f3cecd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
81c517c5f1093c18c64a38b1a62b1c77

SHA1
be10085ee19b3376533778492fc9faa3c35014a7

SHA256
00b6e420f1cca43c165e216720cb267034f2a4f9e24755f98268dadfad29bbbc

SHA512
201eb942144f571906315f6b2070086b66439cb9b72183613e45dd31a8d7f1ce5f1209c12f9221db235b97eaffe5e796eea704facc0d131d334c487b83f08d2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
6a23ac0c0d4f9eff51cac3a654c8b076

SHA1
ed7d493d246b81e1ccfdd7d3c8652ea2746e9f30

SHA256
4912842fc1fb46e0b21ba6f8232a5cfed3a0bdb0e866ee2d3a46ee8e03fd5579

SHA512
e1cc240eef3ad78fba8d5b1672131cf92683936ac6821cd1f856c9acb7b5f5ed9499d9035576161d3a58461a833cb61cd74747172fa462f39cb902adbef7fadd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
a8b613a78f56804c13e62fe56970708b

SHA1
a66785b24f60ee7811a0b16327fadca284c0f855

SHA256
765e67ac08d13358c2e509fe7b900cc85e30a8a40abd7c0fdd79770e50c68bfd

SHA512
c6675c1ef94b5fd78f3bd34950d8963c15a53b6260006b07e64f8b0c2a157ae0c5e183e85ec40d7ff7785d96df0341d3602dc4d3d09cfe1a68a782a5c5864d1b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ba36318e4a0d9349ad3f225a3df6929b

SHA1
cc869197cbeb38d505d3502cbd444c0bb6644b39

SHA256
98edc18da38b1a516924059a55fda63ee64b3dea04c7dcf6bd55d6b07b7e2471

SHA512
ed3e9820764015e0f8ec278ac427b4a6b3e0bd8520b103fee15e276ea216341c9a12b48ac8f10171064fe89285a48978c280a47b15e8b94168a5ff762a8bf5d5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
5c76eafbc7dd2e3c185dbe41aa8c5e1b

SHA1
6da8bed19553c4bf1b0626638c01229dcb04cc5b

SHA256
4246a0dd0c711f2ecdb66b2da2dc9243f85a923060071310a586dfedf060edf4

SHA512
a5fbc8d3ba0237413603ddb61559a1a82813b97d27fe0684bc432ee947b62261f82a4a6df71ffdf3a47be9c6722cddda941c67a342a4fc46864d172c5ca6217e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7eacd59030440dce6abccd60b1af0cb3

SHA1
5e973d073c3ab62f4f836b03a90bad135ec7cc48

SHA256
c4bc865c645b2dcd71a74a7bc8fdd329119da994f94457f7843bd0f7bc9bb966

SHA512
c1183367184e1a2abc454a3c0217e1e7da055873d4c3db89cd4cb1d3d63cafd43623958a45ba1165a8deed8dc30ae0e29c69572461e045342e284e5ec77e3cef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
79c30bd6061a785ac61803cc18fb5f24

SHA1
d5b167de8fa628dfb4ec0a76e8eda641549dff32

SHA256
2eb385c5e180bbabd2154f0213b82431d0782586943059d1026cdc7a90c5b6d9

SHA512
bc10a2d699b33b4b5ba4b613d75105bb02d4b685bef578ae3a2d7c154ab3e0f04593c2ad3d893ffbc9ae63403585d204b45d60e2f860e9a415e4b6f4bb1fde92

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8eaa33735ad6aa5c5001bbb15ad06fd3

SHA1
64e0b71f5e6e1157dba0741618664a280be9dd41

SHA256
6e6f17ce7ff01b607a77e1fb141840fb99ab6c906db074bba4a61a349b82d027

SHA512
7cc83df27924e8d28fc1acd6614cdffad66bdf2c530785a809c63f72f48f899228ba7181aac0f1e2b39631fa80cb5f6e13ca15fbae68a7804adf8eb2da25a443

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c800bd976a8000c512f4d461723f42c7

SHA1
245e9f669f1eddd7c4f3c4254aaa75716dd9704a

SHA256
e3818ed7d3952caf866b72c0a2c7300252f0274a7042144644f0befafd2698e7

SHA512
f5040baa4c8e60aef6a434cb0c7c3f9703ba695759f768d2d9f4ccb66a2850cf84db6663aa86957aad1e18695799f151c1a3f97b76a4bfbc5802d2f0f8ca9fab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
6f80b8aa148f5eb8682ea56777926955

SHA1
c7f2fc0b3c47871a4a41db21f711456c522722b4

SHA256
5fda98500fc669d936d92e4668e761fb4e07ddcca44e2628c25bb865f28a3926

SHA512
230e59f711f4a00c52ab259c171d1fd76063534983c6d70f1839b157a5b1fc40ea96537d1a3954d71798d2686878e4bf33f39950211e4e9818af45afbc5122e4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e49d3034cd49de5a668f9c950c153c34

SHA1
66902198a90614665c5016ee44ded6d0468a9822

SHA256
e87912d7c2bbce3e13da9ed0fb8da73a27518f2c6e160c8c8ef5c1d7d559022a

SHA512
2ac9eb640692c33cf7ded1b1647cb52a70da0cafd3e342e83e053c7d043c0fb39928f2bcde31ca57449a200919604fcec1658c5d8f5f93a00a3a7d82ee07e3cc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
030b459045e5985cfd9e3e5a43272fb0

SHA1
e0de2e5f7ea9b7547b01643ce4494f4b0993b482

SHA256
5bf25fdfaf4abe2585a308fedf9d83c46afbb719981f148c42a425f2b8106c69

SHA512
9c050c3c8a2d742e0b7de5f8911c3c6f5e9e87b5682d48e10e556cf8793097b6e54e41dd374248b88c980900c456b8d1a27d8061e608030e2fee5eaab7ce4fc0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
789767cc36f954c42dd8bc0d5f592b12

SHA1
0bcc1e7e17cc46fc5d7d27673a54fe37eafb33c3

SHA256
2d63fbac313df23ae3e722c2bbd2942b04413efab6e8a6cb32eba62acd7bbe7f

SHA512
839ab285cfe17bcbfb28b7f800d5029f0ea0ecbd08176ef49f23d6417415e926cef0a4428352f476d4037d1ac609a4f48938273ad64689470b7ec5bbffdda1ec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1a2706b71b54a3c523bdc06c2be4f4eb

SHA1
3b0fa3d960d06af431397a0010c6a8a7211f0d20

SHA256
7ba71a3f76b32fcb037a4912d225bd03fa9074d5308d924a1dee206d6c4d23ed

SHA512
3e5b0cd270712675acfbc326b4f5933f8a8a5615f4e48df5fcbb88d2979f08cf6e0432ed45f1d961d230b1a45b89e9ea18a7bb6299287517e2ee39dacbef8883

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5a1ea5329dfdf5cdfe5476e2f83b9a79

SHA1
713f3fd22e9e83cbebafc978696a06bd776c4ae0

SHA256
2febd77b59d918976db473a0a87263fa23dab4889343aaa3c00af6b3848be04e

SHA512
e8a46b3a42e46096e9b9fbfdbc5b05b341d4790d3e0680a5b2fe140d50702281f578d5d3bb19f1c02d90f82df24f4179ee3b6aeba32ab6561474682539ed2b4b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
e5862be070ba8be9e5f9e958c08b8fd3

SHA1
020203896e312ef85c5b30ed2584ece39c22d039

SHA256
e6e0a209339ce7a377373773159b7a76b727742e19dad76c2aa72cb9d6de714b

SHA512
268c3c19723470c793111efb000c3af3ccfe488cf0ce0c9a46444bb301d56aca147ad15f3be84c520208bf2f9815f424a0be5e49130e22dd11f142b50c537b5b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
91911d2c2d14a0303a52b2fc923b2f03

SHA1
a7ed4e33fd7f8cf6863d65c6f8dfd13b56ed8965

SHA256
24792fcd72ba125fc11ced5d2bca5be14b9729eaf649f36bace1335fa4a005bc

SHA512
783a51d733e6c593d220e3a2ceeea934984ba4251f9f9ce2554a690829c1944df93550445667b814d47ae0310081802dfe6e833b3b1902760babc366316b4931

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
5bc82473584a5fa72e98d660a236bc4c

SHA1
bc1683c3bb4b8d3d0aebffc8391b2373802eed3f

SHA256
a2524d7ae0850f80c090d768804f08cce928f9819385a9edee12f37ef5a83029

SHA512
395a8a28664215c20b65bac61a81c75e20f81b3cee441e947f03436e754742cf01a42a25e0594855786f0180e61d6bb6f5ddb945feb89a063edbed5b7da15b1a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
8218eb90ad4526e30a0742256ccdb3ee

SHA1
44dbae93ff9f49550b45b57009b2c1c0fa3ba2c2

SHA256
9a9cb54df3dea559be476b7f96c77d963bf83260f2ac162fdab66106914178ff

SHA512
c4168b47e60171cb7f364c64b947965a74bb6709887b765534c7c80b2fbb5d9c8747575b31b155b2d5a0ec4d3d075a729fffbdd564558a86253ae443fdb72914

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
50ee49b4b3e97005d259d3ecc599cb60

SHA1
26c4c8a86a5888cd028f5d73447802040ba640bd

SHA256
f419f736429d69124f302b0abdac0d079ac5ea729a6c2443aef2f4464fe94c7e

SHA512
e6964f4526323549faa99ef1c7d6b1ec61030364bc5a99f2213d7c80143435c09cae1162cb77480e6abc54c0622741932e50ddbc6bc91cbaf38da38f2b4c44ee

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5f1ba4756f2721ad6f65dc2df1c235f0

SHA1
7805b1f630a56e35f71afc490d3656ad7c8a58c5

SHA256
ef7c1e56431f80557256a89a8e03a4a896f1d9a688e003d40268c1a8a156b34b

SHA512
aaca1dea6c7ae6602765d661b7004dc4752bd0f94c488421e0a347abc46d9da81f989a111bb628fc78285a2c5e17e07d15af1b4e674646d1a5e1241c600ded9d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
72e1c659a5c525a71c61f9461e5dc38d

SHA1
1647ab9f21c499dd504e47bdd032c9be5a0274ed

SHA256
0a8fe0d498450a0ab871d68c353f011e181d126dc6ddcef150c78bdedbbe3cc8

SHA512
6926654a6f1994ddacf834de6901a384e93aa9f67ff1b0ee2182128abc2ac093b9ecc6170906d9f132e5b95dc42eef4804cb986cf80a3a6f9f843516a6b7714c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dd3642d3dcbff649fe5eba010da89b96

SHA1
09eeeb5e6d6cc623fda38f592959baac06cd3e3e

SHA256
61aa8e91bad3b6fa0a4e0b2dbbdf72632d711eff1afbc9487f7cffca45278b04

SHA512
d65e893ac645ced22c0509e1ef927f288995f7a1b80f8fb50f0cd359958e71bf0c2faf2486d3986c7388224397c3d8ddb67da0afcdfb591120c4cf37c8f9334e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6cbd5ca16bc74dd4af87eee4b25f96da

SHA1
038e66d66aa9942fe4870e345bc197a7a5158e47

SHA256
171d19e42ef5871c443370ac1b9f35df5e37e93dc9034d14d4b6bb04fa575a68

SHA512
f5e4e81d434729a9833271fed548b462c959e8f8433bdcab5b7abb04136ebb6df3c5412c211c9e87584c7c39a2c8718f6c7926e8f1065e1d83d8541695e86bce

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
c75f2f99f09557ef9f10a668c8f2acdb

SHA1
88dfbb6c138d1758e5295567029fe03f0f0e2bef

SHA256
207b0b366177cccaebd472ebd8efefaaa464c7c906edafb7a4f9c531f385ca30

SHA512
0ca2879441dd4c8274cf7ee206f6c4b6f21be3e9c25fc1a5735c306b335288be533a623b9a4534c88dc0c8aa732560b523bd06680472a5ffdd17e1756f4fba6f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
b2727a1a11e5156e78b5955292d6859c

SHA1
4d2bb0b3a3eea89afcf27681b47acad2ef412535

SHA256
04c6db05c370d49420c11ecc7cf7e7ff32b347e0f4e0a72b3945f17f097ee351

SHA512
fa881760819b1fe0ae4e9fcf62b8460458ddc1cd76f3cf99ecf10e61ec47a1754186b813f1ca26fb0f318174253ebb57c98e07d022a604ccd093e9b14132eb3a

Download Submit
memory/628-274-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1096-433-0x0000000030000000-0x0000000030215000-memory.dmp

Filesize
2.1MB

Download
memory/1096-8-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/1096-158-0x0000000030000000-0x0000000030215000-memory.dmp

Filesize
2.1MB

Download
memory/1096-1-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/1096-0-0x0000000030000000-0x0000000030215000-memory.dmp

Filesize
2.1MB

Download
memory/1772-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1772-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1772-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1912-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1912-507-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1948-155-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2124-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2124-55-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2124-548-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2124-49-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2384-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2384-81-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2384-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2384-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2384-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2428-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2428-549-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2428-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2428-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2788-269-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2892-272-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2912-38-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2912-88-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2912-87-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2912-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2912-44-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3008-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3008-571-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3104-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3176-270-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3344-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3344-388-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3344-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3344-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3404-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3404-90-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3932-268-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4120-569-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4120-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4148-159-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4532-133-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4664-271-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4928-134-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5016-275-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5016-570-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download