0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
Size

1.8MB
MD5

02e2e98068aadd3593eccf8042094f53
SHA1

5026726aae14ac690cb13ac475f2a7f63cfe8099
SHA256

0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c
SHA512

6ff271c28298f8b909d5a80736c438a0e3905d0f012c859440bd42f403a5ce102d448e5002fd62f9227a3e233aa0a74d15324db819476d6a353ea244970fc35e
SSDEEP

49152:px5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA8f9Ckt7c20+9qNxUW:pvbjVkjjCAzJHfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4420	alg.exe
6072	DiagnosticsHub.StandardCollector.Service.exe
3980	fxssvc.exe
2028	elevation_service.exe
4400	elevation_service.exe
3272	maintenanceservice.exe
2436	msdtc.exe
4528	OSE.EXE
4892	PerceptionSimulationService.exe
2996	perfhost.exe
1888	locator.exe
4572	SensorDataService.exe
5360	snmptrap.exe
2612	spectrum.exe
3648	ssh-agent.exe
2404	TieringEngineService.exe
2324	AgentService.exe
6092	vds.exe
5832	vssvc.exe
3396	wbengine.exe
1876	WmiApSrv.exe
3424	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d7ae2c208beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\System32\vds.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\locator.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3558.tmp\goopdateres_ja.dll	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3558.tmp\goopdateres_fr.dll	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3558.tmp\GoogleUpdate.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3558.tmp\goopdateres_ar.dll	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3558.tmp\GoogleUpdateBroker.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017c65dd324a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df4e67d324a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af10aad324a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eaea7d324a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cc47cd324a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f73acd324a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f9e56d324a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0627ad324a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3128bd324a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
6072	DiagnosticsHub.StandardCollector.Service.exe
6072	DiagnosticsHub.StandardCollector.Service.exe
6072	DiagnosticsHub.StandardCollector.Service.exe
6072	DiagnosticsHub.StandardCollector.Service.exe
6072	DiagnosticsHub.StandardCollector.Service.exe
6072	DiagnosticsHub.StandardCollector.Service.exe
6072	DiagnosticsHub.StandardCollector.Service.exe
2028	elevation_service.exe
2028	elevation_service.exe
2028	elevation_service.exe
2028	elevation_service.exe
2028	elevation_service.exe
2028	elevation_service.exe
2028	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2336	0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
Token: SeAuditPrivilege	3980	fxssvc.exe
Token: SeRestorePrivilege	2404	TieringEngineService.exe
Token: SeManageVolumePrivilege	2404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2324	AgentService.exe
Token: SeBackupPrivilege	5832	vssvc.exe
Token: SeRestorePrivilege	5832	vssvc.exe
Token: SeAuditPrivilege	5832	vssvc.exe
Token: SeBackupPrivilege	3396	wbengine.exe
Token: SeRestorePrivilege	3396	wbengine.exe
Token: SeSecurityPrivilege	3396	wbengine.exe
Token: 33	3424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeDebugPrivilege	6072	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2028	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3000	3424	SearchIndexer.exe	113
PID 3424 wrote to memory of 3000	3424	SearchIndexer.exe	113
PID 3424 wrote to memory of 5256	3424	SearchIndexer.exe	114
PID 3424 wrote to memory of 5256	3424	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe
"C:\Users\Admin\AppData\Local\Temp\0ec57d646f63631699430d29454f9aa8dd80ce5e8b2279337c839f0dca81f89c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:6020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2436

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5360

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2612

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f9fd27840a08b0ce23371378a2b67322

SHA1
9d7c9230414d38e9982fdd8ee9355ea82a50e212

SHA256
21c8ab4deeddab9391085b0daed1b02bfb279d71e167f7e7b02f615bdca8b79d

SHA512
3de7b82dbf94e56452de0e43751d56192ba52691d9ffb098c1c76e3e78b6c651af54c7f699b6d9ee3e3077a8d50115a2b3abb1d63e432584459918c3fc417f58

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
96004be2fa35d076eaf8af709e322743

SHA1
a03933d1e494812cba4a3bff2d2413378e7af6d3

SHA256
5f39ac58bf03690b05a04032d81702359a34d96304843c3d6f69fdfbdbc4fa13

SHA512
9073ece9ca9a20ad0511e2cd95f81765f8ee14eb54b43e53d6f6629fbafb699363ea8b44e04fe3597836e5e67cb36d1a57d509db3078b740635c193a0439f5d6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d42c9267d49d326e47884251c4324736

SHA1
71a3ee1fc0c289d446d07a27979f3d1e85ae15b8

SHA256
88a8baa20d2a2a434b5c3e0825389a87bd285aa520ae86cbbd9fe05b4aed3d93

SHA512
f398b2030a67313c5e05e48def6be215c27f27b54901049d47c1f8563b636153fdb9ef9d0dba7d4e55126c0aa1854820137fed051d030d60f542532a53851956

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
68971ba37f41ac644aad6c3103b36aec

SHA1
d369c2919e72cf96862ffd9c20fe22f9f961a87b

SHA256
58679d45ab1481f385736f51af7ca22eec1d32bfd70f62f2f0739ecc91cf945a

SHA512
ea46039a190973608420fea0a4c33da5f60dcd9a4042e5b32870913457c4b84ad97cfb1dd62bb31a16d94661135f464a0233ad7998760d0eacdb6001a6d384aa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
09534c11a5d26bea8d8d92c4a3463b12

SHA1
2411e59680cf9a03d9b8a7fcb37967d2f99b7d4b

SHA256
aebeb199a2ffdc00ac074973120f01c0e5e3f9333ad8565e5c38330f9486b60c

SHA512
254cbf4dfefe588a163332d487dfc0f8403726ff9442db4dd3b5407dc9877b0f3dbb5677398af638b2ee79ca9a1b4a4f9fedc85e21468652ac23eb5a7c4e5015

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d76bb37d0c75625d72ceec0388ae9dfb

SHA1
7a9fc55899012f0fee23c3bac9158d40a849cdbe

SHA256
eb1b8e2f1308bfab7ed0ada6d25df6abb0076762b86a6b48ce122119662a5060

SHA512
b4b730099bee064ec89ba449953b57f94a294acc5dc62ab4406fc3b117c85f2d11b709d04c999875287189c152ae5d76ecf99a5dfb57eebb07a78bcf0a1f6170

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6df5ba2387c2fac71c31c756700adf84

SHA1
f158e32540d94b7b21c9c4a113075d825d2bd585

SHA256
445d71be0762e6685f1afb4cb79aab742b73eecf9568c3487a611d58b071d3d5

SHA512
498afa75850fae30f9878d0401bb2ee2e86faa60a365f0bb9768c3ec23b75ec2f277c9fcd333e70f6edaf1f27c9eb344f78a4f10c6a85666cb87321490f608a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c0bfb867508267ffa31212b28d96ceaf

SHA1
4c51cd3abc344dd9ab782eeac860d6549489d7b3

SHA256
d2676395746364cf2c9ff65a432999b9a14da31f1032ff08a3afbd555e6bf352

SHA512
25607f1ef6267e9fdc9f7bb4458c3863672902601d71bff9679cd1a58b728f4e2232294d45ab64c9dd84548a64a8e9674a28b4eff1f53a49247cd8a74156118f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
acc3edbbe96e09532490e5e7e8f65449

SHA1
a0a064d5a1024568cd53c6da9bac8794a96cb17c

SHA256
ed11d0bb61d827fe5baf5304f71b3d441bd1dde2281bbad24ecbb2fd82fb5805

SHA512
cfe7328b168ca1fc053d67aad51e9cbeb5a3a61e992771124d56fee0b953306851bcb86059cddca78cf629406e5edc9c8429057b477b491500676d515b5abdaf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e4b5f799624c89d9a6acd4da914a2ba8

SHA1
61840f3a803e5127c3b4a0bdcb95739736025f32

SHA256
9174081aaad5f7bcebce1ff0329f36633e1ece1e7b92dfa874c62711505bf4e6

SHA512
7a5a182832f63ae980e38c5ae19b251da3249110b77381810a2a72b0f737ef7e6b7bcdc05c12691bcba0c93a4f7906c6b7f278dda71b0ddda37d5e3ff4087478

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8723c5af0faa1ed82ef2768af64faea5

SHA1
285901685c590d30b37d2641d5a24e0b2cf19c30

SHA256
73381396fd5f5e247fcefc41b8a560f652a882cd6bcc7a5662298380481df5aa

SHA512
bee96342b8fff539414a69ebeb0c6e4e359d10e70d6700eab2bb75c0dd94519c7063afadc61af7055dcb3fdc75422a34b7c3c6db41a14936917f09a9a4b21170

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6002881e76d9fc373c1753ff5b2ec00a

SHA1
5e15d25ba67265a6fd2012472d90e1892e185426

SHA256
140483875c32b65d65bb17d51b224de7eee3fb1f52b226aa817df5e58bc05070

SHA512
d6670b28bd789196ffd8080132820acc91062235a82d9a25236e1ab78419382619d1aa0f5a3b0a81a084216628ed441c7dbea936628031fefec7eb14ebff4933

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ff2fe09b60afd3fe86852b5ee8c2d02d

SHA1
e240fd8afa4444b0212683d1bac2a2d21481fa83

SHA256
279cb5b271c7be2b6d8747966f7297abca18a32bfddf4d62387fc6e9a8301fce

SHA512
e97bdf6e54e879542d9d7d7fba5776c6d49ca1e7512bf8c5b99401e2ef95dc728b69332e16abe27a03fb8c0d5292c7425672b18ba18a62ad031e8dfa238c5a81

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
da26150f5f17fe3a0c07e38ba47333df

SHA1
d01e3ef31860df68928f50fbd85849374cd2f6d4

SHA256
b149a53dec8305eca366a3880e90e134c9094c1c03c4b264ebcbe5a28e3ce5e3

SHA512
56bc906466e445a9dc02e61d08b1cfc8ee3208e2dbfec1f3bbccb27d392b4ddd8df3e32c2b04c07929bd863e80a482c5c36986ff8dc26e008b19261c3d9a4413

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
810cbe780ab950c841992f32e1868693

SHA1
1a29d1345e5b1417844eb2e4c4b1313ef00c7cec

SHA256
a5444a145d4f5cc37413621f6f96d9319146089ba3113f1c543bf0b59b9838e2

SHA512
cffc0f163ba30e1925d7dad662ab4114fbc19a5a1627a8b81490d42a37243d766c06a13a5fcf2f94c28e208f539b97afc0789569756db9913e45976900558d56

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
224b874cc2e50843471b9939cad4a011

SHA1
32fcaf0aa97d692a0282b3b34bc7f1015ca912cd

SHA256
552e6b691b08d55c8b52cca48b2735d9c8c8432d037318dd648910caae1dfe76

SHA512
ccfe1db50161ae5e4b04a2c536d3f3aa3b9b951a4363f725e896e8743590a62f17084eff0bb537b310dad151eef6a2a9df0e75b567f74af7c08b23f50f56297c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f5c21e7aab8fcd102b08b19c8fa9930a

SHA1
8fef844ad4a8473c1fa7f416d3628e46d088d9e1

SHA256
a0ab0769224901b6f48e5dec8c44d8b421c7515bb22827ad73b96d2a1151da86

SHA512
6ef0996b10398bf0ed64ed8d4c1bd0e28ce213230f46dffc7e99e529104f1db4a6cee2f555aa77144fe1a8062d20755b7f1fad4e486b43c7c9ca5e6ebb4a0862

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c99d7a8624cfed2bc020cdb23472b717

SHA1
a061bc8384cc00738335298d5b6468e29ee2eef9

SHA256
3922f62d82636cd1f6d0d0d892265b088d2bd01c88e20d9ec530e6145f8766a0

SHA512
db6bf696455b7575e67f1e32e49231d8826338515edd104da89ddaa634a73060567b813d1a9182e9ee15af70f9d6dc9eec71462ff7fb961ba9eb491d51b15e09

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ace574d4cbc331145b5004a8b3fa99f8

SHA1
8e04d48a0e625aaae63b0a6c3fc63290339597e0

SHA256
08ff66de0a97419791f7d4fb330927d7e3f1731152b2a75ba337e51a36d5e457

SHA512
fbc36f627d55c3095afa287b09da890e58742c622b4f98fad39ecedd17a620d5bc39a027bc0e3036b991c5eb556e0ee67aab3de04c2bdc6ac64bde64ea59cf8d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9e34673bfd449c9e9d01852efeb883db

SHA1
3fc8ddeae7250e0dbe466026cc0678f35549f216

SHA256
7910636acd9f341880c5aa9380afe96db7a2aa77829ca15e8ad952ed7ed57c35

SHA512
2702b91bfd2b7e4aead9d34e7ff559e78d083f2fb1e69fc3e41f5ab51ae22aa1a53d819338a0868c2a873536502c2c66bfd858a09d591b1982201858b353d826

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9b8d022b00907f41630b61fb439ecd11

SHA1
a077511a73b1ca32c9562f087ce4eb8570e136ad

SHA256
5077e917d6f5f1d324859ce9154fe7f1e709a2c5a4f8315e720d7ba65c69d14d

SHA512
268b233c11acd19c1e679fd9021df48a854ceab24f6a3cf70187aef4dad9694ce154bab18bac692a8e3273ab292389c4fa794ef782189740560926e524b1d1c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
496ff59e35a4fcc45e8d30be91591ed8

SHA1
ebf67bb8afedadf1b28f85213012a667807f7805

SHA256
4ca586b8ff74b3de458d7a72712640f9605ff00e7d1428f0fbd0312b34224ce8

SHA512
0ec2637f852cddc6e8b419f8bcf07c58e013cb92195f773a5c42c1660b7fc25bb4030b9a82963fe90e639218f69047fdf4eebb3493580c7ec51ffede22464f40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7e857ad3c8b4a36c083e207e62d38b66

SHA1
3277eb33226984d13e8fc1cc4496c84e531b33c6

SHA256
f2512b333a40515af8177322119938068604994dcbec12fa7eb90418840196c1

SHA512
d868b2fd28807e67458afb681dbc3c2b7d6942b7701ce22800ff40cd06dcb78eba8a6cfb43cd9df26dd43cedba3b3b10683358a2641b35a64699e25957dc5482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
34522a71db86da4cfbc8dd62e0343f09

SHA1
20f83110ba81abbd84c60903dfa08d1347199e13

SHA256
43a34a740b45455447f3b1a1628256e59548e35f5aa8a51612b892cad3b746cf

SHA512
10b6e2751aad487c25fe66555f0980d2d2e4882f521039f010f943f023404c99ecb8c3fe02661ae7759a6e60c97c5c14f475f925edfeee4f2395d7fbad7277d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b8462ebe7ce87c2255561f292327388d

SHA1
29159ad67e4c42b5306a7e57f13459424d236301

SHA256
f9c0e1dd093ca06313631ac3290a39f1886a48f52eb1f9f4948ee992677ba11b

SHA512
717c90ea8e3d527b0fb19efb4d2337a19c12ff11df870d2c258bae5d2c1eef2d7e5e7b4800b4478b2da0984260a67afce4b13d0973b6933b4b7941b86a2cf478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ad1b9d14f667312665f7838ad8e722f9

SHA1
e3bfa122e98d506a79c4e4405ea98b381428301e

SHA256
23122d84c86730c9a5623f8336d3025dab2116f88e8cafe85b3da74d2d40ea4b

SHA512
fe405d3dd74f5944680f195499d04aeb032007c7672d14b4b4e93d2b234f6f74fa7ac93b478945b80b4e193d549e8f7fef76152165aa876ca97447156e122347

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
27716ac1ee2c2cd435e2890dce323ba0

SHA1
543d77c36a5a07c97ae31e4cc71848065b671181

SHA256
9a05f89fca80cc0c3ba54e2b4149cd0dfb964bf0a2dff01d2a8abeee7993c9eb

SHA512
64479cdc480ba9a14fd3858a8014d4d44c8186e808b2bbb6448f1f61c19b8fbfbafc4059c4f45f96eaf2b6e5d524eb03bcd2e4d8216ff03378af79806d35b1a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
57c27f8fb5377c9e47c35a6a5bbc4e99

SHA1
a121a05f5fe2a6d8fcd3b4ebab644570b5c33665

SHA256
b0f44ac38d709e79053d3fabf0fa5e72059061757c27197c8dd9e758ed136685

SHA512
4afd54cba9440d11a77cd1ded4b9ed2ee53547fff592721077401dd995258cba95d1c372852d0ea70550d4b7de210c1902e7507f78b2a1c4ea6d39d88fdbc3cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8af3736b9d3ab647b29582ba9928329c

SHA1
d176c2f7d8afcc098e8dc159e0d2771549685745

SHA256
6de48bd6cfd3b3b161d5638693241d62b692137acbeea1eb17bdc22473c17e1c

SHA512
fee306a02a53bc7514ded764c09656f089c43e2b45eb750393f45b612c71efcd1fb7836010fdc5987560e615a1d11690de18815a2dd3d2f15ad3aefac59ae14a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
23b08033564f6645a782fc66d28df37d

SHA1
3855a6f583caf4ae6404e81676d75ff3d588ae68

SHA256
c6f882bbc6927ebb64835e9ff228088238b3daa307dd07d100f1553333e53083

SHA512
4bfc3d6101412452d67bf7dc131b90dfe0a6117a0ebb03eb5f67b42bbe2ee0addf6f7cd1866d58836a6e7454389dd558e83eef999337a2cc06a936fb3fef5127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8989138475356bdd97168853da391f05

SHA1
093a8f74332b30f1c9299a7fd6968414d5f294f3

SHA256
14d0c9c1c6beaea85a0b62cdaefbf67ce5cd439f3e84af10b606b19a7593d75f

SHA512
c6937b3ad35f6fa56aaed4ebe003ede12f95c91ec6a3f86c702bf3b42d87309eb578b49569f2a6a14afa41930dff26a3139343a6fe63d5345cddef8072781d9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
824cb508234327eb22d784f688dcc8ac

SHA1
9bf3eaf79207ec85bb52d812960f061b283d9dd2

SHA256
7d24e3f5e8b9b325a0dd947f1780ecc9bbc64d344bc938299ab03bc27957b63d

SHA512
46b65cd09bcc30d6d77dda858616a18f1eceda34a9f93a80f971381f82c4c210c6e045baf4fd756d79e7c4f124cbdb328eb7f7a7079961f20f4250ea3682f378

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b1c9561c619b55b3390550f436ff5aa2

SHA1
7727d17e18f032b419f3e524118ef848a01620ce

SHA256
2621ed2d9a6150c108747bb732e18eb9e22db0058b5942715cb8632f538e7a5e

SHA512
c6edca02d4fe75d1d4287bca53b84c416c78d518bcaab071dd7a461eb184e29b2416422096bdde92076ce2f45f98b46a3f7d4a329590b013108384a4bc03e35b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7113c237c24da11aef32c3a2c3a25cab

SHA1
f914fc19f780047fc2ab11a4e7a1c103a0dad7d2

SHA256
61afa16432130f0342c4ab1b1798b798580d9164fbe998e69a684aac94d1ccce

SHA512
b2d77d9055f5c4dd5e5c3815ed0f9c2eb0bcd622d271a6ced0b2e8e04854b173017bbd1d5d88f3b8a9abf52d8d38a2a8ff3f273b0af4090a2f7489f08b231eaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3b4b96d60e6198500e965bd0e9945797

SHA1
721a2cefbeb4a1535ae28184fda547011d65f586

SHA256
702b7adc05181f4b307918eebaf1cdf2e0ec1c29c8edf9cd3139f469699122e0

SHA512
cf6f65629957107b14fca056a508549ca096f2d2cd4b3e37d5e98eebb2e78a857f205d211bdf6b70402c225954dc248e568622c2c2f3e161004ffbdc58775ef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
27bd4baee2df3a34b9348150189bdec8

SHA1
35344c4547994a19b98bf6316e2293415ac14773

SHA256
65f57feb83fa3166d1585b3578e722feab6cc6ef3e065b7bac168071c6951444

SHA512
8d95cd241f0b59b1a76bcee064c1cc425c8b7966c1c1109ff80c9e470d48b18a36d6900f3d5c679173d6efbca484063af831f390f63d2bd4846bd9cd5d428b8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
1091270b11baeceea0c311611483c21c

SHA1
d99a6e897d9dc5bd75a7af6bda2d4934af1f6cc7

SHA256
ac7f4c9337a118b3f0820c2ce8845a2e9362ef0903b532e2437fd2375cf0d156

SHA512
73a32fc9101b05db78c3422f684d17eba4abdc885aaa56a40c5bb92768054b86ebac2377ac1364ceeb8cb96a1779679518eba69b719b98733d28617b822b59b1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6b8ff23c3f81066814d1144b16d43e2b

SHA1
4e27022410b20b11e0be1f1a56a5895536790755

SHA256
a21dcbb5de80bde8b71c507cca2d8213de88247d0a0130e803ae43f082156866

SHA512
993a720860de07bb20b76f5d9433b5716b94e49bf54336daa62d9d65055edc3a964f4599c243e69059c55348a9f31bcdcb96fdb723ddd86a5bfd1fbb97020aaf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
ff9b97e397657b00a0683f57bfb52f99

SHA1
60b1ec51a5a564a4110304bc29347d0d8b09827f

SHA256
f5e10984bac2066a1f8c5654ce1b927fe1533cb457aef7cebbac3231120b1516

SHA512
078baaac119bc106d2f9a89c95f975dc387df6134256081ebcba760ece576498e95a7a3c1c04a143097e0852746b7b772412baeea8dc9fca5b2bfb2166291462

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1a78e11a246c4b21093ca3bf1e6ac990

SHA1
20ddd23d1e2d77d30973307732c76529fba1adb1

SHA256
8bd873e7e38a2daaa84be5600ac1d7de6760f464222714f9e6ebf0dc21cf3a59

SHA512
8b3d0fd1fb4b10c14d34abe0b14c3c44754ad6eaf6df829a923856ff762188a4060bd02a07ec38e915267b143e0bc175488794ac56c0e2966c1f54a97cd4ecba

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d6d5907189265c76d1caec0e313947ce

SHA1
178fd42d22eb17c006778025fad1e147c5fea393

SHA256
8b26ffbb6b6af29a7120a22e776c651a5493c94072f232ceb863fc82e13aa1e1

SHA512
dcecbc88fd32e59a8b7fa713b484b580e22b13104d9f767351efdc517c7994cade4b3015e6cc9481aa0b2530ca88ce2d91a217f7d0d12689b83c7915896c23c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f124f33b61836504e0f6d82606f9595b

SHA1
09c747eea8583bd6fd6a770b4c81fcc3802e2209

SHA256
2613a6c7acd114d41991d698e9367eafff52795fa2a892f92341503e03b3debf

SHA512
0e30d51066eee43a3e84009b2e72a5d3432ea14407c8cc6ed65968102dc7adcb45beefd1171127f699379bdd1cd43ae4e457f5e31fcfdf5876b8bd5b2233e837

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
61e726d84b9795a1882c36efdbb94e73

SHA1
ab180c8d38f333605ec69b6c26e941ea22cc302d

SHA256
c4759ea3ac4c123541af4365a0895dbb8c28d00a46c3570a552a51290313c682

SHA512
da2d97d0e145dd26e7d5b1ae495ec7ee4bd52c9c5ec1bfe1366096d3cd8a9e5344b100dde93e2a77bc1e2cafdade81817b25ccaed1930052ca8d460dfd56f23c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e8953a2e6ed0ec2bd6f60fdba8f5a8b1

SHA1
9f677cf57916b37d8325d21ceefa3a1422533698

SHA256
d9ac21503d1874f7686657313f7bf4509515c5df3ce47396b4f8a5e904a7907e

SHA512
09b387fa8396f9199748e70c5959e06169513f9323e5c60ab7bdd662e0ef63ab60136184fe0e2c1c7a38405a119d30133238c39ce94da10e6e8e788c954aa992

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5dab7fc3031d2e0199da7eae6c33d2fa

SHA1
46883b036517cb67fc83d9199d6e4d91d2b6d06a

SHA256
dd974c98873038ce535ea149d14ab6d439e404d35e289155daa2f04f4f2bdbf5

SHA512
4779696065fc0fa126181b4d94d5140592b06889b7dbaf0520743d10ede4f21fc401dc63f86f89c0181da2884e42ca522698246756d0c86e1638138263cbba1f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fee3348df3a4a993905582203ea2b8cf

SHA1
30c3b1fa63ef95a4175c6a9e61094c724071a762

SHA256
dcc96b45b1d0fad1459e52969388f65d5873d393e28706aa70b5dbfced14283f

SHA512
095d765b9144133bf92550191c7afb34f1bc3f1b25192603bd5fb9e5d5e56cdb1645d030355dcb4ae76b99323dac378e32fe9da9128181c5f21b920d93ef47bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b2018f393607d174171323240d8f66d2

SHA1
08be338a0201fd2800b577a86baecfa3aa08efcd

SHA256
a5cb2ddc89c173714e24b35f541e4b870cf72c5e0cec6bc5ccb9e2503ed94afc

SHA512
7feba89f447cb06bc3d61ce3a6c412beef888deb2fb3d23410fcf6c73ef734be635b3394eb2a13e00200fb7be2b133b8a262d06d6b5ad78bee535c3ddfc64264

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b44a89877bacdff236d2ca820746cfa7

SHA1
7b15064840f8735bd4199ebaab796931408c1d70

SHA256
d0acabfb84170a2c576de5addfbeff33fa89152c20486916bb2a43e192b648bb

SHA512
32b5c78b8cc69790dca777ba9ef4d08d144dfed11f85fa372aee6eeaf2d30968dafb4543a1fc8a4c1aa1c15f8dbd99a0150eb0858a700146e4d4ed12b3427d3b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3fe7e7c7a3f4f7c2ca2e41b93cc91193

SHA1
fb40d0a59314aba0e928f5d6fc78f46622affd9a

SHA256
6c2568703136c472330c18fda78e1d82532b53aab38e1f52329cbfca2f957560

SHA512
5679ebe057a2bba6f68904cce6dbe0edc63f2e0c21c99ce77d0f00db63e866e98455edf0751485a8ed406ea5ac90a25eb69cc6c1c34c5a00ae1812907b515910

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
13df750915f71e4f24a9e708c948c755

SHA1
4543602c09507fd8783152f9661c77d2bd74ad24

SHA256
58b96f77ba89f891e378a2a21885c8c4d31d5f260e5f8f18e64ea58278634224

SHA512
74e55983d92608d98d8d68f2512dd6fb14cfd925ecaaaac5f4b62e0c801c5b90eb193673c6d175bf1f5cd7380c763811cd1146456323cf5c33dd3a934f6e0a6a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
37f9bd45256cf967d36d1defa363fb5a

SHA1
2c1df50eb684c0c3114b10831bb0843c2762ff54

SHA256
1e35d70d859c281f78177e788f3c82ec661a7d15cd8357ac1d77457debb98cfe

SHA512
a41bcb623556430190e44768db95c12b8884f7c0516a73f52c209f39f26be8cd86534135ee49aaa8a6d6a24e929e2bb8a128512e65632ee7fa0e150a538da91f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8fa1435060e1dc4e680cc446ed906c1e

SHA1
67630311079276a524eabad05e65de8d2ea6e24e

SHA256
364ae74764a382776eccc7ad1a2e206abae29f0f6f5c8f97b91b38ca1cc26378

SHA512
c0a5c545c3b8597c3dffc7ab10aa5510bd4e5739d569b30679a537745662d1314f3dc41caf10649a0e01d014cb727b29b77ca756bcd1a9471b1e974f0b3f4a71

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c147ea7e568d93520838c4791f9649e2

SHA1
6c03927aadc6abd2671f9afa337a32820f4c0f37

SHA256
0cd04d19d4e6f795aa6b3db8cf0991d5c9a1ee024d10373281829dabc60a0607

SHA512
d279e53fd4efb108f22882c0b48effd51b190da31d6072315ce7af5e6d3b9671acaa6af97250f1e3d91010600119723d3976c23352c819fd4c21c82e6f730bfb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3c837b6ab328735dcafd0d39beaccf55

SHA1
4089b0efdfdb3543d0403373f821b42ab56a9d85

SHA256
95698fc5b9562dab1077b56599602d4683dd701c14532eb86929f5233d9417e1

SHA512
89124f5cd88bca60d97558d3825bc15d71f076ebcc169fe2e2a2f7d51530d75ce33f78f6a6d979cf9440515eac7c3ffb846feed23040ebdca6e8352e4fe40deb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
84775e8ee1089201da4f64848098cca7

SHA1
670653839be5b3c3ed6ca0f9365a2822cf5ced66

SHA256
aa655af75052f09268df9952eec9d7e52558511c337f6545616390c84d53a3c4

SHA512
903acbacea11933e8894e5306d9b5183219060c1e1c549c7b5b5dcce5a85689fe4cb0159cbd11d9681cefa4b0c837a94f745c18b9f3f9f8ff84050bb80e5eb40

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
12d2e50637c4cc9e744b830cca5c38fc

SHA1
35eb8c2ad59f3683a08fbc2530cd24d6b7ccf983

SHA256
74566962062ada1b5d4153c5ddbf7420d474a18fae1a7550fa1a50d01b359ea4

SHA512
958309a762a503ab5331ae0541df91ec0615c3950e87392dd63bcbeca551bc79a7034bcaf1879ce91a7e632e580956d3396457a6d565fde376f815e18b15c35d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
43f1764d2d6aa07caeafd48ed6236413

SHA1
e4660180e8c7aad97b737a989307c3f20a5de78c

SHA256
ec2d37cec01d3dda8011cd537fc1e1aa94d3319f9836e25833e2bc14a064f5e9

SHA512
3d34113cf3f086c20f13477a1605ee0614b4beb5d4883a731da57c47b9dbcbe0a2bb1c6d6ff50cd25554c9a2bc1323f9d5b9dc2a257243bdc3686dc7462547d0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
87ea3ea180e77c9d6ef7865889083994

SHA1
ab857bf40af866500fcf7a68bceb14cd7489121b

SHA256
fe150a8cc1a352a22311294292b6d462ce0861a2c865c70c7e3ef043733c6eac

SHA512
136904023b120ec822fb21cd61bb69cad6c4e0590924654eb43d08faececdf45ae7727f9d0d80db20b480eb4ecc6afd6b40c469c7585fa11368934548348f07c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0f03e305e241978d6a96077448d027b9

SHA1
f20be6019ad2707f6de3e7c457a450e47fa1959f

SHA256
7e3544ffe8251c75d93bcf84cc615ebb033c7f86a6622364ae0385a8b699a4c9

SHA512
d6e5c1d6d3cca8d40d9cd3eeb131a4af06de376f58bae9c4a130fbe725de1e4b3fac48ebcfb7fa3b3ce8aa647011f68f24b5d4f19d839041d6c237435b5f8e28

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
7442aa8460731cf4ba7b1bf15c514fb0

SHA1
bdf3dbd9feaa953a06f45bd5d84eefb0063dffd9

SHA256
7e0d0574614a22085369b2c44671b611b4962bfde21891eb18952fbec12195b1

SHA512
85734f9c422165ed271dbf05bc02e73bd70be19b82f96b8ee0fec4750c802128644425742156eb5cbd2fd12b2836e3d69fffa4e0c9caf833b27fd7c5b5cb7f94

Download Submit
memory/1876-232-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1876-697-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1888-179-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2028-99-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2028-105-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2028-106-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2028-195-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2324-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2324-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2336-164-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2336-1-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/2336-6-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/2336-460-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2336-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2404-692-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2404-213-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2436-138-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2612-666-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2612-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2996-171-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2996-230-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2996-166-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2996-175-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3272-135-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3272-133-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3272-131-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3272-128-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3272-122-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3396-227-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3396-696-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3424-698-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3424-235-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3648-209-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3980-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3980-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4400-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4400-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4400-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4400-119-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4420-178-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4420-11-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4528-144-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4528-150-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4528-152-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4528-225-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4572-362-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4572-688-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4572-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-155-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4892-161-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4892-174-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5360-196-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5832-693-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5832-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6072-83-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/6072-92-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/6072-91-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/6092-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download