ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
Size

1.8MB
MD5

669fcd0c67d24d3c0f6f0ead036544f2
SHA1

456bc3ea12f2e4bebd0d6bd1a4bd594bc25f9052
SHA256

ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56
SHA512

670678f119eecb594f269504ad3a8a27ae56b3ee6819d0aed1c8f3183d9ee641baeca2e4d22ae1b290025c2c02200837b5f066464fa723ef0c7988c13189ad59
SSDEEP

49152:7KJ0WR7AFPyyiSruXKpk3WFDL9zxnSVksDM2jh3BqS7YtGL/Als:7KlBAFPydSS6W6X9ln/6MMQS7kGLws

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4600	alg.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2700	fxssvc.exe
4424	elevation_service.exe
5084	elevation_service.exe
4784	maintenanceservice.exe
2960	msdtc.exe
2096	OSE.EXE
4052	PerceptionSimulationService.exe
1612	perfhost.exe
2768	locator.exe
3660	SensorDataService.exe
3104	snmptrap.exe
1712	spectrum.exe
1956	ssh-agent.exe
716	TieringEngineService.exe
3132	AgentService.exe
1284	vds.exe
2272	vssvc.exe
4532	wbengine.exe
656	WmiApSrv.exe
1780	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\locator.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\System32\vds.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b2627ffc234f82a5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E80.tmp\goopdateres_sr.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E80.tmp\goopdateres_ta.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E80.tmp\goopdateres_zh-TW.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E80.tmp\goopdateres_et.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3E80.tmp\GoogleUpdateSetup.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E80.tmp\goopdateres_bn.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E80.tmp\goopdateres_ms.dll	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c1652c80ca0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030bc3bc90ca0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb55f0c70ca0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053db56c80ca0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002612afc80ca0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f2a46c80ca0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb6722c80ca0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
4424	elevation_service.exe
4424	elevation_service.exe
4424	elevation_service.exe
4424	elevation_service.exe
4424	elevation_service.exe
4424	elevation_service.exe
4424	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3272	ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
Token: SeAuditPrivilege	2700	fxssvc.exe
Token: SeRestorePrivilege	716	TieringEngineService.exe
Token: SeManageVolumePrivilege	716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3132	AgentService.exe
Token: SeBackupPrivilege	2272	vssvc.exe
Token: SeRestorePrivilege	2272	vssvc.exe
Token: SeAuditPrivilege	2272	vssvc.exe
Token: SeBackupPrivilege	4532	wbengine.exe
Token: SeRestorePrivilege	4532	wbengine.exe
Token: SeSecurityPrivilege	4532	wbengine.exe
Token: 33	1780	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1780	SearchIndexer.exe
Token: SeDebugPrivilege	2560	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4424	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2824	1780	SearchIndexer.exe	113
PID 1780 wrote to memory of 2824	1780	SearchIndexer.exe	113
PID 1780 wrote to memory of 8	1780	SearchIndexer.exe	114
PID 1780 wrote to memory of 8	1780	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe
"C:\Users\Admin\AppData\Local\Temp\ece1b134ceedbaba847a5ef121005fec2e1741b7f005d5f614ef8cc4e2572b56.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5084

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3660

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1712

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:656

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2824
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fa9fbc8a210e4554ee019c8a002fc240

SHA1
f5f97ad7cae3336ec849b935a4be2cf89f55e5d4

SHA256
49fa2244d727912f2422c2dfd913bc4befbb416a93d6077f46b0335151d178a4

SHA512
8aed2072f3b5ea2664fdc9d61ed450fd2705a4206884fc23a808e89ee39976a1bce5b57cdbda2a8ac88c419fed9ad08fbc84d7ea09194f54b2a7fe8ae926b56e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
90d549a55cf3f44b716fc5a6bd367e0f

SHA1
42224ef032c9b9a3b4f56e8bbc38ed2abf89a611

SHA256
7e39d6979cc4f89ea202b138ad31ad8d9a44aeba9bcdb8a6740665f924bbdbae

SHA512
deb736d78a73d17b0a5168cede739edbcb9597165a4d81f19c6cb0e3af2aa8039f48880227d51b550d7d0ad1d0512f2df4947bdc08912eb07092af1de0a069e2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a86bce63b562ec47de9716f23a80663b

SHA1
986860eed24ec46b2eb283cd1ad469af49da42c6

SHA256
04bbfd3afe8c5b5acd14929254a8734420d8e9af2618a0236b81b8b8be770320

SHA512
94303f842630db90515048257ab718363ab69c30a5a1ad64afc26067f0ef6144fdde4c41c5be86d02fcfdf146cac120e3587e72d22166f204170f0664e03e163

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
109b7117055f121aed1a2a9d8adfb550

SHA1
cb1a08e010a1b4fadb1e86e1e392dd3bc7cd8512

SHA256
8e6e747d4ebad24555f91099663d465c25e734ff92d1225f34e41b9a35f021a3

SHA512
8e8076e955d747e92a8ec4fec2dbf79e22df700d07be2bda34dc4fd9a5065d68f2eeb79d0fafc878c7ec1f505c859b1029bb34b5b2ec780f702d3272bfdeff0c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f52f9e2562e6fce473d28dd5cd53264d

SHA1
bf92e151eca5d68c1fff95bea8d756434d61374e

SHA256
8a5f6ea3fe65f8b03ef3d8c16180963ce2b69c17b9dff3e3891f8bae8c39ffad

SHA512
123987567cda546273034813174b8dec0d94c3be254e9bfbab497e6f5e9418d42c20e88a44235c90e1517d68ad9d2f7497cfac3161c35d467b7f293287972f96

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ba0e715e59ce0af1a8708758a5ed6ff8

SHA1
f58ae223086c430abb16f286c0bf28e5f0402e83

SHA256
75a15256f2757ef76c15cf29d5c97fa756259f37f6d7fe90cc9253af39b1ec9e

SHA512
3676832cd5d0f1a4340af296b2eb5ac6ade01dbdbf4a8d8b5dda9616dd4d9ac1f887767fb6c0356fb7028a3455476c113335dd5eeb7f9ee4b9871894ce8259e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a9c8f67e1454fdf655af4b140c5775e4

SHA1
6c5a8f2fb79107125477bc6fcd92706115ca6796

SHA256
e3b1945d3799f2c0367c2ba21d247abce069c7c0cf6d1bbcdd6726556e729d47

SHA512
af4cb4d76a00bf3b0c9b8fe43af107724a2a22cc155d94677d11fbb8a6b2eea70992641410b2ba4c63d4dd6113f2652b14fa1866aad43c94006079b5248929a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
17d0d76e7a554d7c5d30136638981156

SHA1
6995cd4def715ca8cf85028ffad1828b7341696e

SHA256
17b88ae354e4912ed6e6042c08c3e87bbc34556271a65fcbdc1aa6fbc91e9d19

SHA512
b4c03536fc913526777cd2e24664e88c69893e1b46a3c2db4967eb032b1426b2bcb3fa08bda91c57b359215a8cdf1c7a1571620c1c214ea3af86d62f4e495047

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f73f19b5753dfac056943105a3e5767d

SHA1
68cb08e778bbb29df67e77e3882c821a325cc99f

SHA256
775a0b58db687698b7f78be62ac817fb0b27db888c35ba1947dce5171fed1560

SHA512
3d7909c316913bb4157e6870e2c61c4a7d49babd5d6d12482d4fb6ef43e84a7b4687f3db054c9f7d79414053694a67911f6d823e1a476980105aba2b839b54f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b8a0e74b9e2e94214ea1238941c05a5a

SHA1
68842560930b60f6cbce62fe3e3de29b220e8e1e

SHA256
90767f00c3ca1a4b78bf78427084283e2b949f8038bf970c79098213703045c3

SHA512
ea20b9a0a09e9ff51cb2de3591e7fa2636fd26d72e9a5716d2dba881b3be18b8aee059d97c560788e595752880a01385a1997fc84cb56f4d460749a40cb22411

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
34906bb57a8adf65c19072ebfbc3f475

SHA1
4b64ff2d817fb22cc7eab0317b4346a556185de9

SHA256
71852d840383aedfc29792a7569ea4bd280b7e1c92eb529e3c4fc305fffe201f

SHA512
3e5a259bdfe7ada332e7b6026a44816c9a17d6807d4d87201287db4cf812470ea1f0d1b30e5d51202707d8c383bcaf1644c9f80e4ca9d76d76ba9e65b613b3c9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ab78c284100bf0f17908d294011f6bf4

SHA1
e134da0090f1a74ce008a385a8a0c0540bc2745e

SHA256
2f02593e671d84394467046c9f8c9fe4a5067176921b51932c0f210ec43e547c

SHA512
41371c02d491cb50cee35d7e08255db14a107f680b2269029ddcf9c668cf5d2453b94e7abf3db28d1fc68b630fb7f30b6693b6e222900b0bc5fa3f23b409516c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5b67605c0bfff213d127d6c69054b5dd

SHA1
f729950c10226a045b69ba088867019712e87390

SHA256
b326c52d869b5b7500f79ebafdd08a75cb2ecc69857bef856c3449eae2258653

SHA512
e9ed78911c70be8ae94286f99fd3488a2c52752ce035d7ea5146e29bc7c62dbd45716d179b789c9d0be6eb1a401ffec337c4c7100f65a77ff4dd072c25c3ce47

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
8ab4acf331044e680a6716a72f3b2195

SHA1
24dbca39044d8725294ebb1f61e4978f982788d3

SHA256
623a9749fbae596a670ff51e146b8a4e8c2d063942ad4b17cd4736580a71d280

SHA512
d35a66da67c77bfc4ff542013d06b84cf45b3cfc40edacd3991eac56f80e7882a881c2d3680d2568dd1c58c145d3ab79f7ce1b4fd69ea51f17c28bb1188cd480

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2e16f729058147780ba44e918b34a0b0

SHA1
3fab140b8e6878df7a331e4f66d73ce525efb619

SHA256
5f46c51a92c4bd538fd853048ab412c333da4e1fc6c8fc05abd802ad8bfc9161

SHA512
d2dfc4b7aa3c6dd54b4dc03a0d69bc49c1fa846aa4dd6412010904b86e6234424218b12d24b647b2b1c12bdccb3b8836ec5305bb22a2de917b1852d91a3612fc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
1b565a52fd7c7fc45330ed16a0027d63

SHA1
3e8b9a5862fb9b3845f5e13e9ce709195bf97e16

SHA256
344f6d8c8dbad364e26005248ff84253d916b7293f530a39f5bb215e0bc96828

SHA512
b55eaf3f60aebfbb2b6014760befae537adcf401b23437939b025febcb224301dde7838b299932add522d705689cd8bad51f9dc37cf3ad7aab1177c35c01a74e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1385303777d9feaeb534b354f2416924

SHA1
6ce3ebcd5587d795035ed813ed1bf619447f6c03

SHA256
6c944d900d2ce9ee16b9934eb1f7309bad146314f1c6cf9ac10bdd433cfc12db

SHA512
5aca82b85af910f2fef9946e94be4ebb0927b7d502c9163f5fa1ad680ed70fccdeae5e8f9ff893419754a7fd7e8fdc7ed2fbb0eeb2a8a43fe25459444dad669c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
1076f09a0842228d1d58f0483cfc3700

SHA1
f565672534533a915a76fa47b436bdfa6721abb7

SHA256
07ba0f2229bd741a2bf82adb8d6233353dd6325b3e85754219b0aedaaada85c6

SHA512
41e75728ba185f39a23599907ba4831b450032e8783ff9052dc9053dc8ab0e20dee4f380f7a517aae8237573478fe9593148728f0b39aaba1bca6dc4cab3b475

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
85bec997fe0bbb03585991d9ceb6a9d5

SHA1
2df68132d393da38bee9726fe492c2ca53f89a67

SHA256
bac1cdaab19cb381a3ba07ae29ac05456b4e8a5b02b51b4055731abcf516a95d

SHA512
5baa8bfbcdf0c1449f52e743589d8342a6e010e1abf8981e50eaf3769139139e3a3e12e4c0d0b0c8cf5bfe569745934e8b792c4e6c55f068c006733db61040c1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0a926f831777998c8c95adf5331ff8f9

SHA1
1ab9e701184b58f5b603f28a0ba4a7296c624fff

SHA256
22f8f5d0a0a58e28ee55a7dbb125fbcc167360cd29d73d4888f7571c429dc9bf

SHA512
36fdc31fdb18229d42adb1a9ea6f2461d6e933651ccde6323da8c39be57d0e9a092cbb19c2a4c598e3dbb37abf3d5f9a590082cd864b07cefe733c52aad8b9db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5c3cd3f75692a62e95e6e5c42952a85c

SHA1
b35be7128c494c57441d2886644fcc1b63c6b5ae

SHA256
663f5f84bb13a26070d4c44b9ca84b0aefdd11a6739e6986bb3a54edc05787ba

SHA512
a93bf02adcf51ca6e54a7e3031ff86aef1e25004b7fa617068032bb095da7f94a2183301096f8b9c7b3b3ffa75ef5b8160764b0c47607c3b36d261499896b502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ce826149f4c74b8b831d96efc6902d8d

SHA1
64a7e1e8be475e0ba7b492745b005dc59f72b673

SHA256
1fca01dac6de8c413ffed511a08f2e3020626a0c32d4ade0f009f82ef2c6bf7d

SHA512
19475241a04f325d7526949007272462e950fda66f0e7faa32c9d0aa7a3dbc61d8f081b9c9ec213066e8caec50d4957c9e57ac822ddeda40d7cae6c02a485f46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
26260a25124419407c7cfa5fc40199c8

SHA1
c5d220b0ce56e9bd975bdd94470b3fbfb4b135d1

SHA256
18424a68b5ed7bd354bb41a90ab348cc505640a1021e4caca0f3ec8e326f4f6a

SHA512
fc0788dd12c505397ff4a0ee3587d25e08902d076897bb5c2de73fd51b8c2160324429c87db41a8d1d0e45800fe269f0c638741c99a35c51e3b883ede22b4e7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
c4ed413c36b0a6d639cc4d0ce260cf12

SHA1
79ea47bcecdbedd077fd347d2cb3fae735000526

SHA256
a56a6046ad4603bc0b1bc89e691464c2ed3430f9ac14511eef4f6c374b33aa0c

SHA512
f0b6bdddf074a19260ecee0770253b47da1fde977fd9b9d94157afa8fd4f4b6085f67fa2d8c877ad06f55c5b4f1d1e4bc008e1e922609cb092a2cc9f83830631

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a9f76feff84af74dd5202230a210de5c

SHA1
6a03ad4e57a3ba092bf00850113d3be722d20206

SHA256
e68d0fd0be1d3e7e0ea2dc8e4152e7e2546dd76dce44423de626b03e3c5a387d

SHA512
c9defaba1e30d2ded8e73c5d1b6aec80df1c214c96153ce22151c18ffab4f28388ee512a6986ed5a66fceff6bac67efc882c21552e1f271cca2b9fe0b06f3688

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7148c708bb65416fdd1ef48854acc902

SHA1
9fe38712fa07198a9c1e8706146050ba3e96610b

SHA256
0c2e1dc123b718b5a46fd3d5936e7096135cf8e516cda1b5f74cc4851806edf2

SHA512
e14f7b1613ee31af817f81b553ff59f45d74f67fc08f978b804f8295d0c95e969c7f802705fa07b7598b907f2cad5e337797af2d7b4c5520b72ad8831dd34f22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
6378e29b4ca97d7c301e3b860def7d1c

SHA1
524d0266952ee2804b11b7b58c96ecd873d49e0e

SHA256
350cad37a9b40b99291fda60143ff65deb78887845d67aaca95dfe4336f7a60c

SHA512
019dbfbab650efe3b6d0f2870ec2cf9880b2ae9c397ac2696cba0b64000bdf0502aff06918b80d721d4e9790333172472de0cbbaa41286040a7630fc04a188be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
021733892c22a8e32f73c2cd9a1ea4f8

SHA1
765a2ef8a9ea2e73768b07e7ea0f1e8d6faef341

SHA256
fe696e8d134364a46b976bcfafbddb3c31ae790509413c16b3161b26fce836d0

SHA512
4c1f5a5268fb0934f99bd008705efa0b0891bea7382668b779bc4a7a3bd20e958be46cbafa34e00eeb0cff3b7de7539b2dbe1b37c3d19be08c158f1a223dc88c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3237a64c7be4a8dd66d488062ca9f010

SHA1
9b82a85e2bb1d5e0483a953762e3f40e2cfe57ec

SHA256
ac5d7ce2bbdb1f596d306512d04c91d91a7b17027bf2e840cff52573b7c6e3c9

SHA512
796291f3ec6a2b1eba083ecf8731db860dc419bf057fdc0e7c3cc73bbd650e469fa4208adc72ca923f88ddc87273cbde74ab15d0312b89186305cc8733fbb6b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
29501771e4bd6d46505a96fe242565eb

SHA1
09b7edb113dddbb110982f7651fbde5758074142

SHA256
ef8c62e34ecd1fc299ed1e2749a86078f5b25b7b2a9ba5574edb5b25e4f3f812

SHA512
e37f9e170c5a6ad355572b279e9d92169237453db034e8c9237eab932e6105f2d861c8548bf78ad14e0da3e03e9d845a4306f5c21518c5d0990533b478923e21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a41e54107c3e1d61003387e85654f1f1

SHA1
2ef68c7bb497cb01ac64cd63d3380aae1f02d2e0

SHA256
9abd57352e8a8efc18e9c6436e07b13ff5fb09cf441406b5dd1c789805520864

SHA512
1439a284b7b6b86c8d04c2d92c54340092cfd6abe76dd17cfa2386cc282bdb1f760214780a70151acd7a2ac01612b082613f50317dd5767ef178b0de5580fbab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6356f8f9e0798e30734872ae4b0accd5

SHA1
144bc8e768d566250cb021a4a0156d9353c132ee

SHA256
a6617563e356dde255a9761470743509882c7657f51ca5448f1b9b0ca377e48f

SHA512
f80472b918aaed1e1e45396d9cdd9b1a39c4358d082e2b89d5cc9a6cc371bc0f68d826171d07ad50a34d38579d34e884c3ea9347f468ab10404b8a07e11ea70d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
5c81c06fe33da0c4b5d87a2a82d8ee7e

SHA1
c0110da2912d666626e196546f0338c62421ad61

SHA256
19eb01828f3d9aaa4bda322281a4b70208b10889e096878d7c626d548810cee6

SHA512
773f6eb182d045b39e40d1c9937c11d80f315a41ddfeccc91d74080659c38de9065494494daf2aa283f74244e7f7061e8ace72c8cb032d333716ab5c63bb34eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1d820756b16af0786728a1de559d9fa7

SHA1
5ec15ccb6888fe5e4b26d1a13564fcfbb27f4fae

SHA256
90b48f1ab203ed59740796857421a95cea1cfeacd7e1f7c5e363455ae1c57064

SHA512
8698e6c7360ee37d121b1d4bd06ab55f4057b01b5f3b8e785a4b718400683d3244f0bf9df8f62780f84fb660110b0c01cf677f6329043368db4729552fab5a75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
4df95ab4cf1fc8a656f3357a005236d7

SHA1
229898c6dc4122336d4e6a11dca3498b3258c7fb

SHA256
1dc9633ec5051624f6cd550a76ad0eb62943a20dd2101d2ec8a0d751f29f3197

SHA512
f7ca394fed58af49c13542ce17812bf682d7ed103797f9a9240fe36243e639509754dc259774bae4968bf61e09ff68ca276bda06d7b0be7121e0f9a3c957e0f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ddceb7bb2a1bfab3152bdfeef6e31dbd

SHA1
cbeb312a85d947247467597f15fc30e49a3dd4ea

SHA256
4383277394bea196aab742d438ccbdf032d396b9183129bff721a6e41a5dfda7

SHA512
062e80fb3c8d75b9976ea16e17d07a8e134af7d7afc14c0ecb7165bb09df0afcc12d174f37019af6dfa420e7453eacc6e9723185b2b9a7e831fd9962d327673d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
be6b89892ed0b1f0295f3f530f613397

SHA1
704556a82293b78906f60221e6c231755b0a6d9e

SHA256
29ba8ac5bc507a130203bd5ba0490019077f3bb31f2012abe8d764733180a6f7

SHA512
9938567549492e41a1aaeb46adcc621b7e2c6f077a6ad2ef4b73a8a57ab9da709b49ee40b084e62124de9ab9794beba089c41e0185cf84aa8e48ee43349c0744

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b813fd2b411a08e6959bf2e8ff02be0c

SHA1
6ba52114cea122adda1c6ec056465134070bf214

SHA256
62742b47ec63749c49689380792099c906d561877b5af6bbc197857c7d69b54b

SHA512
f1763adb250386016d03e7cd31063699de883997a6206b2d9c83c5b46b540e54bb7b18f73aedd8464072c32bde74d4bb949903503cd75751a32813cb21230d74

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
353307d43bc332ff9caf19a140265edf

SHA1
59a0360f1690e1fe251f767a209a2bd051bce353

SHA256
be5430fa35d805aa026b0219fb7fcd5e55ace3c41f267188202ff159980b138a

SHA512
fce17d32271b25e3fe5b464a9a41b4ecf2afe84a89481b180fc5852dab0e0ec9edaf309cafa5942cda3be6f1a692cb10f37f2185c763a29ceba880bd9b7a276e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c5e4bd70dc2c899dfa0a0dd750fdcd74

SHA1
8134e68fab8ae2ee7cd4e8c1fc9938417819d92e

SHA256
3cd7aef9206e02dad19b60021aaac5a3be23f2d4ce2d8445fac0d95ff0709427

SHA512
ed80713136f7ba4868165cd6190d33cefd0e73e87945fad4aa72192713b2c048fe2f629815757cf8cdffe49f3bb4ef16330931d4e8e4c802835ebf241b139874

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
38baf300b41098cf4b509bba90c1a53e

SHA1
737e1c7918623299d28ac2601fcd4dfdae11396e

SHA256
f8e46ac51bf372c6e907f217ce78ecfa10d76d60e2c75161e96dc2b5d0c2766c

SHA512
46c3d51320d49a366466ca516016e64e79b9f3e70650af58d24d7d306695d69b954b751f5114765e1578a90193e6e8376386afc62b4cea6d371ddcc4b08c8584

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
a821ec99b0fcedbdb188825d286677bc

SHA1
cb02fe3290a9c00d58a865353d774c319dc247ca

SHA256
6e6231c581d39a467b61f3f626cdbcb107d480e5aaa3eb66efb9a4d672b8561a

SHA512
189b61870ce29a5a20503df2911015d2c9513c82dec76a3885b4ac2f1ddfb6f0c0261fc3e1b543c8b5b038cf158a9cbda20422f32a3472a1b4dc4ca6dd9e9617

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7249d44a9e4ac9e2177a1ff43b98449b

SHA1
55af018eedd9b919fb51916d836efdb5aef42fed

SHA256
ef4716964940dd7d900beb746298e42226ee71cbd952979daeec184a407a1874

SHA512
a1320e6492d145fd2f3f210b36d0764155d43647315cac9aa1c7500375e85680bf6e765dd20d3e67c6237027343a95a694d2c12d3408f1b4cb2e9a7d47c7ec3a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8701ba318adf99b86e4b556bf5b43387

SHA1
3ae39fc359da0db57f5d23a726109833d27c2340

SHA256
bce4a7dc96ba30a58b33a5e583933a881f5c9ad1ab9a4fc02a863c90ff53540a

SHA512
0ef17c6f1fe40a169e0d0349167409dd0097f25c62bb0f92c37cd503fbb5b646aebf2f861fe0fcf9a2dd4d7f8eac89e36b7b3ce5243dcbd64f3453e3611310b1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
491fded3b09c035458970a73c91b9ded

SHA1
fcd86e2b4ba36b05a5e14ae851a2e710ff161ade

SHA256
2930d13415b4d07d11eb79ee1b7a8c74a73e0db01a064df36d3bbfab85fb74a1

SHA512
6360e0c636a99acce0e23b3fbcfacb86bff77b363fbce9fe1050afe946b07e1ea3388b36563857743000c66c88b3d6bccd7180b27edad5466d0b3209e6f0a65a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
49620d8b201c4ae94ad7288c14b98096

SHA1
722deef43b37459d9c604b67f8b9feefcb45bc65

SHA256
e46523c45760e597161bfef755ec58946892e81aea09b91dd04a443fd6deb221

SHA512
d61a4e8a3470c0644ce872533852e62db03271209b4d110c30f5ec0c2a1fe524dc623a167565d6f3d9b948a51bb21f57849b7b8433403fbd6f4b45dfe3bf8e13

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5e0fb2d1839200773b1acb65fc1432f6

SHA1
4e7cdc4f77a9280f1c67f9f7a63ba5391e443e9c

SHA256
5ae6286d6076695114d497f09aa8b9a7e2de7da14f81a5cb76fffe23e88207f5

SHA512
31b1b8b0eff62fae6e6c01aa660a2b2f984cca1e092edfd4ee4c1936d06d6038176b754a80581e2b85335acdbb8d7a2fb73082070b2bb1da83a23432fa6419eb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
595865f311ad9057a13f6ba4aa194bc5

SHA1
358e27b002efd2173bf0604913d924bebdaa3005

SHA256
056466a4dbcadffb5707a0becfc431b1f006885104451b638e25ab8ac6ba273b

SHA512
f904b398a3dff1c444d54295d448b3a44587b617d328ab0030344a5e1efa40a8c40c811c8556a9056882f2b6c7a968602593290c08c87b0f6f2ef987c546310d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b652794c6ee2d9a6b56704c68dd89717

SHA1
9f9e64d819f2515232c7cd22f6383a80c267107f

SHA256
337d52fb331cec629df9ce4f87a9826e95b1dea037b2c2a3fff0b77e12567171

SHA512
ed975e2a505caadbe087f8616faa3c96bcf73836389b1cdb603215fe422888b64de88fe0549dab667befeb56682a6aa3bfb7bbb5a20dc9b1ccad817b39f0e602

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0f8feb3947402535c65a1058aa9eb3d4

SHA1
db45a00bd158851bf3a75703b83832c80e52c688

SHA256
05fd41e5438ed0b967311e2c221bb424a99488e9cdd0d8e4c0de7eab047c364e

SHA512
180f6353df4829bdb41b9e96897aa0b505fcd820e09d8ff27b51fd0b182f7d8d50b98c1fe54a638dede30098536b1b89a72da921093b2413dba2b338588eae3a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
12f3d9fc1bc73f5abf11a61fd073cd8f

SHA1
780fe636d2e0a2d833d8151c88ca7a17d96edabe

SHA256
668b8357f67411aeb06094b78e6d0b663b9da9a5f0ae79bb537acd0606f998bc

SHA512
fff56100f2b3dad40518f1ddc742a34d6dc57aece7af041c92cc66104243fc04aa955d43aaf439d5d5f70796458af353f3ae258d2738ad5c0cc838e437d0a83b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d5be12282fdb42565b88cf519bf4bd68

SHA1
0ae6c876f36d17327f0362dea3614dd477ad7315

SHA256
2ddf2fd75b0a86dbc3285f3aaf71afbcd6f6f97faf90e6918984003e48173891

SHA512
53ad009086913ac518593a572e8560ca83ce510595a611cd7dae864d36de50e557742d7a926f0e0d61368a9e51638827dfe1e097d3ca78ecab4fa1e1133739c0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8b779bed68332e3c7554596a093ddd18

SHA1
98fb101bb36b2398e387250b5bf54d2b94d73fd4

SHA256
b5ed5173c1860b7c461cea7b2deaef3812023b0fcbd92ac5772e501a782f53e4

SHA512
00a5158a6721b812f9dfafd2cecffb5b7ecd55185b12bcd3d15ffb060f4b78a623149d04a382d11c12595a91cfbf4e1e7abccaa4defcb48d7f188de67807d585

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aa8640e66d342af7358a2074aa44207b

SHA1
3974a224ae41516bbb055439d8b51c221b65a585

SHA256
331034eb1cee449e21a6f96c21b67e4e1bd4adbafad0dab8ebf84a09591163fc

SHA512
2a3290f0b1c1eae7386e0a8b2f63774e0acf30b0eb7c57302cb345daaffa5ec5589056e79570baa7bb676c8c997e01d904702373bc7381e11b65d82d1924acff

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dfb6ecf031bf6e2f26795a6786793821

SHA1
678343b36c431ca277c983c9ee4fc3ed7cb77632

SHA256
8c80d88088bb1bc440279815d4257a3104e279581571a3503a4e765c7bc29e82

SHA512
d18c0847ee9a7b17a2f8e647cc14502dc503ac7f345afa916584d76cbffabfabb2e8eea8e7778d01a81dd5ba111facf44fea7081f3dbc7de592ff97598729f62

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
13f0d1d89b86b898b29fe63a81e4e336

SHA1
aa40d6ee65cf959997d78f37312867c4a4c46c47

SHA256
58061a6aa87d2f53d691c6f3a3cce4680f107d2fdbf3b55dab5d4f5cd4a3fc5d

SHA512
22c0e092d3e8c642a9f1721a4b5f0d3a7c7aa1be23a24714b3c159d53021422ab8e0b2a35856a2e2584d6626524891905877e0bb7989e4b2e85b425ea9ea3762

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1b6d9968aa26b64c6512f4cdfa5773d4

SHA1
a1783371337e39729c85923005fad3eb43cca67d

SHA256
a9e008a9130951567470db58c243a8c4e90be7cb6878f6215dea59a53f9a533a

SHA512
79a9c45fd639ba0570af59f4fa276eb1baf9bc869f7c0b11d07b0a611bddadcd9b5bc74bc465d4f1338689f3e6453a7e6dcd06adfd4d4e7a4f3b07b77d7228e8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a245b5a3e6de6456cc5af0a67177bf06

SHA1
06ccb592deab87e866c32bb93b79a83b2c47f4de

SHA256
aa003b85f42ab531402b912e88941d32a1f2c31630118eec4620dc79d9dfb978

SHA512
7a7a51fdff3a2cdb4e29a6d77b91e85aa9292d1e6d092f24bb94c5feca91d6db4c95eb7c8f05fcfd54bf0333d8067ada9bb4949e4c9d36b07a656376a5cc7fb1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
764fb82b020deba8b72d2db67d77c2ee

SHA1
d31179fdeaa2d1b4ad0e472bf8ee02857ce510bc

SHA256
23969c29b2855ecedade8a00fc6ed4dd044a6f7655e94e38ee1d31b3540fd710

SHA512
e8b4f3542ec15c834a33765158783dbee1e4e413a6430bd2e328caefed4f04f8e2eeef4b197d28f862d9b68c8c46af55a8b627feee2e4aef8c360d25c419c0e0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
58a63626d1c99919e15dd3974e577819

SHA1
6fb1f528c27900379230f82a072397b2a965d1ff

SHA256
0db66e54cffb5ee4eaa4f419d67f528296778e12e8293ae73011c1f69f5784f2

SHA512
67d3e3aa3b1e372a24e420ea7db63d964e589bbc4f6fdb32fde8aac1ddf24ab11a24d625445250afb078c0c25e36a3c892d4ff25497a01b6de826ddec842ab8b

Download Submit
memory/656-234-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/656-637-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/716-549-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/716-214-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/1284-632-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1284-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1612-175-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/1612-169-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1612-230-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1612-170-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/1712-198-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1712-547-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1780-638-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1780-239-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1956-203-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/1956-548-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2096-150-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2096-222-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2096-153-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2272-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2272-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2560-91-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2560-90-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2560-168-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2560-89-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2560-83-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2700-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-109-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2768-179-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/2960-217-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2960-137-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3104-187-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3132-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3132-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3272-415-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3272-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3272-152-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3272-2-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/3272-6-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/3660-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3660-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3660-238-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4052-226-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4052-156-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4052-157-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4052-163-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4424-99-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4424-107-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4424-189-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4424-105-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4532-636-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4532-231-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4600-167-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4600-55-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4784-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4784-129-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4784-123-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4784-132-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4784-135-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5084-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5084-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5084-117-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5084-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download