286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
Size

1.3MB
MD5

2cb894051a369bc58d605aa92dee839d
SHA1

ce13b51563c2c0819e34d185544c4c0bf319b18e
SHA256

286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7
SHA512

ea87e4123b662bce04302b1b46254a777c5c8830484a12a99920fde08b8a1ae1f22bfc08b5c258090fa5fbdf26c21c2ac40882add3207e025071e075f7f3edba
SSDEEP

12288:hPiXCQXPstu7vSamKMkyPHqDURGTm4KJPSQXUybJFjKuqpLlm:hiSwso7aItMHqDeGJ6vUy7WuqpLl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2184	alg.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
2008	fxssvc.exe
3688	elevation_service.exe
4172	elevation_service.exe
4436	maintenanceservice.exe
1764	msdtc.exe
4696	OSE.EXE
2764	PerceptionSimulationService.exe
4664	perfhost.exe
1236	locator.exe
4372	SensorDataService.exe
884	snmptrap.exe
2312	spectrum.exe
3424	ssh-agent.exe
1148	TieringEngineService.exe
3920	AgentService.exe
4680	vds.exe
2472	vssvc.exe
760	wbengine.exe
4996	WmiApSrv.exe
3652	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\vssvc.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\spectrum.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7953928b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec14c3af37b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000feba06af37b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af31fdae37b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029763eae37b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052539faf37b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092c5d3af37b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000367322b037b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052f601af37b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da7f0baf37b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052f601af37b1da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4052	DiagnosticsHub.StandardCollector.Service.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
3688	elevation_service.exe
3688	elevation_service.exe
3688	elevation_service.exe
3688	elevation_service.exe
3688	elevation_service.exe
3688	elevation_service.exe
3688	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4260	286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
Token: SeAuditPrivilege	2008	fxssvc.exe
Token: SeRestorePrivilege	1148	TieringEngineService.exe
Token: SeManageVolumePrivilege	1148	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3920	AgentService.exe
Token: SeBackupPrivilege	2472	vssvc.exe
Token: SeRestorePrivilege	2472	vssvc.exe
Token: SeAuditPrivilege	2472	vssvc.exe
Token: SeBackupPrivilege	760	wbengine.exe
Token: SeRestorePrivilege	760	wbengine.exe
Token: SeSecurityPrivilege	760	wbengine.exe
Token: 33	3652	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3652	SearchIndexer.exe
Token: SeDebugPrivilege	4052	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3688	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1784	3652	SearchIndexer.exe	110
PID 3652 wrote to memory of 1784	3652	SearchIndexer.exe	110
PID 3652 wrote to memory of 2540	3652	SearchIndexer.exe	111
PID 3652 wrote to memory of 2540	3652	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe
"C:\Users\Admin\AppData\Local\Temp\286ee900016751436d5ea3e6fea5052bde8c77b54c8d01ded0798aa65b16bcc7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4172

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1764

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3940

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
65e831944e86a0af015bdc830662bd9b

SHA1
cfeaae96f6e6382746796b3d4215572c56abcf54

SHA256
a9e5711b8071fbb305e6d7d005df09f7bc1319a8ea54db158f726e3739695c3b

SHA512
823cbcd0ed5d8935d2b09d5f9496f639cc49926b56dd5ff7234f43d300e006dc181837ecdb545b5f4a9ac1340dba5d6ef3bfaed2324a866a3c41ecd1fa275aa9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
056eb9c824f9719b646180ce3863267d

SHA1
6c6fca1c77ad87b9b42eb5ba522b551c0b385a37

SHA256
2735d907a510596e61060777bdf10ced6b23d10c4e6cccd1e26b14c1484d931e

SHA512
a6036fe9e3715fa0aa2257731a82dcab3a6d6e3525cf6139c0038ff32e2a92c9ea1d460b464879695fb05da27c66e298296311688c6228d89e34a186ab3d2253

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
ab01253e55d9893c06e6fa445f8827ab

SHA1
878e18c42246f6050c4cc16a8980c419e6d98861

SHA256
da2b2b6f07d9593188113a7a4f96fe67585d49fc39da81b555ef04aacefea02f

SHA512
ca021234c9c51e521116b5034a99b68036e5bdc854ab9801da20f92a0687a301b9eecb451cecdb2b42b1945c07fc2615aaa3e98b3d59cde6625b69116fc102f7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d801ffb883c8dc785ada682363e51518

SHA1
8bb57ff8aac6592637ac38c8932cd3787dc6e0f6

SHA256
0344961caa3a9db2d764263c95e1a47cfd8c8d13340412a5f622028a4647b429

SHA512
1756b1dfb20f4855a75242e4729097227301e105033f19ad982c35e466f554847474d09b4bd9b406c2294e456619341778e503c7d2a3ee9f8e3bcf12ba5aeeb1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
74a663b734b219e12e83fca432e0e77a

SHA1
b4ad1016448a3901e21f224b4e3401d2c85d88bf

SHA256
7e8d3de42d146bf7e738d1c6daaa61db1acf0a9fe43cab0407a62e9f63b1349c

SHA512
9570f85381c7ea1ef44d564eed7d93b56c53171440a5f5e146ec1c34a1da3c6d0e51877ac5cde266d09ade71d6189880580263d1679b289b9cb6262976cbb129

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
135550d02685bc97e69dbf8d85259d36

SHA1
ce1611fd848ce286f672ff7c4e059f86e33e7211

SHA256
9beac2b13bd548efdbdd7cf0fc7df7d5589e18a77e88aadc380c0b4b0b6856f6

SHA512
1f4aadc9453911561731a8ca528fd81016548ec855a9c7f28cf688a92e4ac1c0cf4768296ea33306dacaa20cb6411edab35fdc631379ec06f9f159b2a2e76b81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
d210b79876d64e04112b6cebc67518a3

SHA1
add63dcb186af61e031df1fc137ab86a6dee3fca

SHA256
59a4488b7dbcf7e0ab70cf0856f15e9e13cc33f049f85a81fc29b05447549ac2

SHA512
e14ff50f13e3c8502f37ecad766ad828fcb7b636f366f0fd424d78072c48e20f5fb5f62ddf42800bf7b04a1295ddd194e82123d8c5b911a3b73fac48d0c871a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3a7d97bf4a5c765a05b706e0160b11e5

SHA1
19456b5f36b139c61ef8a119300d299d2346d75b

SHA256
8a495b90e4fc78e95e57b8141889db751049ce3eeec3f1422e6186d3d43e2414

SHA512
d4a6e11a798d9273165c0c5b80b2094ee9c67f867791310a2fa35bdca35f648ea3c731930862c8720eb420b662d5b3b189ff803b0663a99d0e4f5be81346d0c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
9e76a733b091651a93239b616e8c5edd

SHA1
7db74a4837f373aac45ee87e52e7a56282624722

SHA256
88a442f999668a156444e17074817d28d2f40bba753bfa99ba935c179b169661

SHA512
f3ef94e1f5f2a36346652f003c2537eacc5a6679285a755c35456fccf46e47b5b9af0207f0a858bdbcffe36153e3845bc66b4923b3c48a97218c2155981c561c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
46c94412350e6fc274f488c1886128cb

SHA1
6866ad4e65e46ad9b10f13e4c5a3af0a426fa31a

SHA256
539dde4b45885a521c946f7cadb3769f3e8d3e19e4ad52ebf8b00d7c71afe8d3

SHA512
6be8a9419a49348a8e272297840d48c57e50f1698061f052ad3e76a87e993b9e86c838a4facb328647f42ef9709ab6f4a2af8dd57f526c67c8bf0aeb8007d0be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6679bfe4fe8d2b1b9323d847eded46d8

SHA1
c377404dd67eca26ba071e7bc2a1b27b9b9598b5

SHA256
7f55dbd2d77999420b76102e402babf92760ce48768547c334c94d23918b0df0

SHA512
4c0c6b71f6ab5e8acfecb2ebff1a1efeef2c90fb49a5fa631d1ce514182aa856c4a60fb4dc557ebd97dfa728aab557b2c4b9c16ded4ce9349f844127fb4d85c5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ab8dddb8f613e5aadcab3f658a6cd240

SHA1
3e6dff491bd1d24859b28383d6641cb10bb2fba3

SHA256
bfbf7a4e53bdfbc3ea374599e6ee16a076e513721058cc00b00d2000dbf5d4e9

SHA512
a2a9bdf3fc4cc786c90853ab113b7b1def63bb500157a3e8e227d8b2fd6fd41374371d87087087626f3ff937834004b8bd2e93e482ca4bd9850dd5db1b9afc53

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
a7e5d8635e45a734d5bdcff222763392

SHA1
63c1c70089cd6751cefee2aa79d5e4633923c2fe

SHA256
8767ba615875f0817640d5513ec0b75949f875a85dfa15eb3ac1113ecb139d1d

SHA512
7d2359514ad302c800c15a346e62021c941a052473121355e684ad5f83beeb5c64feb14ac5f005f5863b593571c3d1db47fc85158898b7c7cc93b4fe8f6aa974

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
001875873a9383e0022846ea2f523d36

SHA1
8d62d450a3a2d7becefba202b33c194b4b2728e0

SHA256
e3f4e7c9b3bab784f0e6a3a119ea7eeece2a2fae519b80df2876e72b6c7490cf

SHA512
d0c52de54d46d928fe5eac7efd96c9dfc5f267391ccdb60be33014494980482ec27e4618beb9ce81fe1e67aecda76029b1a8dd00b029df5c223ac37aca57d1ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
16731316c3f8c4e0d970a9c32f4bb90d

SHA1
84eb653903e8533b85487388c12d07141b389059

SHA256
112532f58459562a63e26cb9faf3a8f8889fa553d16309a08796fcdc6ae48134

SHA512
41c29122bc9a190069ee9c52623b5bab148f75afaaa2c7d6d8877a4a9fca3ea7f51b1ccd72cedb2b781eb1e683b38ab33a7cb352537a9983f50b7bae4d7e6681

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
48ff484eba31a2f31b373e912d6449f8

SHA1
8946813c53c7b483f60f124a10169e51d534a28d

SHA256
e9616f11e1d4428c109ff2576039ba03c174bb074afe43f1368866daf8757f28

SHA512
f518d3e35fe6a724613796cf75e8c2cb0420600b6905a5b101f3a275ae056db0eeef8ab2d35e9308c92e38b4b7fb39ccfdcdc8c0aa16fcc919d476ed07f2e673

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8202c71173a868e6ed3c6642fa892a16

SHA1
d5b7cd6d2e7100ef7c55913d094ed5cb01c4328b

SHA256
88aa5e520692334bb0c82de95fa36775a5dad0817e05b24be39f66ce2f552751

SHA512
da8f12a4e916e9b9f698cc8d4bc37459ef0a5fd9ad5424b66dcc37c2b11662ae03e8dace51ba20313ad6fdf09547b5f96e06a18c10d3430178bfc95933de47dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7efad1d0d3dea72ca8fb8c6fc5b78493

SHA1
778c14fc36db97b8eda859018ad99a43864d7c92

SHA256
3747eaf693c540e4249576f5f037ddda89664a05d8fdb23369e3342706261df8

SHA512
81e6599f7bee9246d51d533ede271f48b0f4dcb762fba97e638832a733483065bb45161e32ccb434cc687aa75f49d6b56e762bf9fdb7f1b53c141b3336b29249

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
481fc2bab554d78fff0bfcbf0294ebab

SHA1
2b2fbdb26a286eb04b472dc7ac0d840b92df3d0e

SHA256
0cab51faf581327796529f44873ffbe3b162dfa0dd94cdddafac6eb40a952e46

SHA512
c9854c8a43c4ac8909b6a1d4646f6dc49341e6a4f2f780abf39334108cf25e63064ee8d8a986c1c220e73e2951de64c9aae496979cd2f189bd6c8ee6a82ae2d5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ee188fc1dd08327d66bf7202dbb8ffa9

SHA1
7d885dba3b668f0835e9f24176a1c3746009ddab

SHA256
ecc79e8a156125fcac3612bd0a30b98d976a8019f56298e1aa7e26086eae8f20

SHA512
a8137ac82957e6e4428210dfcb050c86142b2dd67412fb5705679005a47f8a7e7d764f2f8639fdbcc17abd0fb10b7fe43338e22e9ee44eb9654d557e666e2061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
7febcf0d11ee235f94f6ee998ad592d1

SHA1
4a3ae68d78b543dfef03f17fa59a4fd3bb4756af

SHA256
eb513bee87bf6bd948af2ab3eb730ac10d7eb5898acc38c00fff447471742c85

SHA512
26daecb51fba1a1bf0913352ab888e94004ecc1940ca26c5b7f5350337f0e253d4a31729ac0c51c042af439db956fadf0288ce967956cccb44c603fd01d6743b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
104b5f134f79198dcb55a2695dc7df6f

SHA1
97fb319ab99e91906ac03afcd9bac788641171e7

SHA256
50f2aba026f5ac4d48310cc36ee80088d38ce1e204a4c66db4d956a241e6e823

SHA512
38fdedaaf7947d1bdafd0a4935fa205b79c81da58c2a63e68dc7dee9f75ff7264307929d28b0da8adf69f08a87288696626c3fd7b66582deb3e3af8de506ab03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
cb09edff1811f79280bc76a901e6deb7

SHA1
263f16aa856dc20aa861f510e80e37200ad5a21d

SHA256
827cf910be82d3e1ac7c59d0226208bae65a8fcf55d09ccd1fe3b0e70af86583

SHA512
6e7fb10166a3615d6e230a6a4725522f3ac46587c1de95ecc04faf7ff65db3e24c92bb07f46f77511972df0ed5c54e13194e19640e672452dcd8c9aedaba30f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
55ff6b69c76ec6783e2ce5a7f3447373

SHA1
2d9bf7b2e958d4ff0e35d02631f12263f315af4e

SHA256
7bec38278b8d7f1bacb853a255abb5826d68c0c1191b97e37d019ebb48181293

SHA512
e1eac40270374f31e081e746910d2c696913900891572f144ca268d35ad1827fe4bc72d2eb07b195216b2a600645ed40bd413ec784f1087dfe7bba2d01a8e36f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
e1e1446d5ad342a77646f447364cd417

SHA1
3bbd2018676d09da1d82aac36a0a72de749c5840

SHA256
b3b20a0fc82184ea5767acce5fd69e5e1921a87029b2a83bd2bdeb5f02dbac14

SHA512
2010787f0df39879ae9eb2baa29e80329731265aacf18eb1065f833ed72da65f11b7ef60435c8f764c5c301b45aef135bf4d77567983e1b0a5e201412fd4ff99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
ecb3cfa909f22daba686ea83eadf2aee

SHA1
3cc3b59a861efa9289f708d897e396b2d795bdca

SHA256
1baa64f6fb0e3431c7f0f194790d985cb1995d1b7bf2650611c7c07184509b34

SHA512
033c2da2343684aefda1e9a63889b007fada7b1b471e59a8b513a23c2d32420035f8e47d6841d9a56e6435071946a0263ca0e24b442149e03ff71fe3da45c46b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
8ead3a543c25862fbc7c27660c2b8554

SHA1
1cd6ff7e31dab93a9fdcca2f9ac081fe68d70fc1

SHA256
5ce1d2911c471dd94b56516bd5021f2e969d90e3e28f65dd3bba7e36833d3e6f

SHA512
9791fcd985967aafc7602cca67d8af973c5460ad00b4ce92e5390158b24ff7b504d82a283dd2f46337126a9bae0884af6a4170c4464a24b907d596702c3e1975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
e954321ff21c281a389cefae74bac987

SHA1
d0bf22e3e570e75871bdda3ebf763387ac4e63ac

SHA256
d6061f509a963234dcb6a7ca679efea54cfc55c8c169adbb1f35a4ded367db47

SHA512
ff969a82fba72f6462299e0bedc73d614fe5a6bb0b94bd09f9127a1bd51de367e348981a28ecf25ba80940fed402ce26aa1d4c5dc12e51bab185b5d26d29d149

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
8b0bafe7e37949d64d96bcff7c727780

SHA1
a3996af5c8640cadb69acbe21b3a077b3fa3e13b

SHA256
f096c16ab286a3e4713324fc32f8474773070cebdaba4d30d60337aefa223f7a

SHA512
2de8c97c151871e53d6d79f11d08fd13285b48a3c630aafff2a17710fa8a1baeaaec6ebb4b9829a2d36b237f15215d31f36e2d81648120f505d72c9ff116a5e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
67cbe8ff9e1eaaac7843ca669aa274b6

SHA1
d13063307f5d8bca6fa8d040d390c81b852b3eb2

SHA256
1164c8ea564e4803966d104fbf53eedd2df6e8715b251287c85c807183fa7dc6

SHA512
46f28694d2881ed92ca2eb761ed4b48a5fa8b7eae8d58f5caf35c22242c0b61f30f25ebdb08350c3369d436eff374ed7900834f5e8766bde4bef480df60c8612

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e1014f948590a3b383c2985e1dd0eed8

SHA1
ae11c904755d45328179140b324ab30f4c83252b

SHA256
e3e6fdf79419fde05668aea94f15229b8ed00fe98790bbf4e4218822ad7aa7df

SHA512
860d1c3e66ae5880462065ba57a1367c4b566005cc2a8c4e6d0914a5c6472b6e1fb1c19f68709ec961ab747c05a55327595dc9f20008a9cdcd80d1575cc70117

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
4f8e0dac927bb64ec47edb25dd8013e5

SHA1
de2d6a53c4a044ce7f48ba39a23784184f80975f

SHA256
bc3774f8ba44cfa7fb43598bfaba73a7142011e35fe5d34d9782ed098fd0d100

SHA512
9f51957d10d6954df2588ed39a4d8b2ef1af365c2546c1071a0ebac63b2eab7cc36b8b9473e6f1fbcd56e9672d4252a4bca93fde6774de70f8e19b8e73baecc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
65eec6be1fd51f9c2a998b93f10a47e7

SHA1
306f7e49ae9c53d810489125f6ae9d848cd9db0b

SHA256
8c0058c801ef28655598b907955a669530fe9a4e48359b27b2ca7a34dfb25883

SHA512
c88a3feba0e7cae899a7bebc6b6d271f6907ac9221fbf29cc0379c4626a9a64d2e7b72c9688c341cc45767d206398f03c8bb3211472a5a77d12fb02788b6051b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
ff74db1e50483b8751f44c3d6b7117b2

SHA1
49d659adaf872e03d4ccd0f8be0747c3cfaa7879

SHA256
e0a62e6709c2e2fbc23d5c7c1067cb089a3320bf2e922b45e6f8e77a7f18e1ae

SHA512
49d07ac5e35b063b7708f8ad425a6192124f8ce155ca91545e7774c384387c2fc343a3cc8a177c538f71699fec58f2f28e6ed80652f95f4dba58f214e6f584cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
94790bd00653874c830755a91109a582

SHA1
c76b3b5f908013235f0646f854663a41bff6de81

SHA256
4ce440c58a3313c3cf59794ac83679fbcee2ab5c76e819cba33545e1944254bd

SHA512
7cf8580a913708826c2efe1756c042711e019f42c91649bc11e8108351190bb6938726cacc063a346cda82e5b1ac543ab4e9e86f5edac2ebd9d44ad9fe8b0eb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
8583f8f2084c38c99c4a896f0adbfcef

SHA1
7905894f9c4b4b96d92c809372a0718ecc0f7fa9

SHA256
2bfdc7187cce98bc4cab5d9908e74771e1451b4c341bd0703b711b49dfe9c8c2

SHA512
36ffbbd44ee05ea3d0582cdc39daec32fc6347fee8d935d4e6ce3ca5d015834cb73a4e4db82c1b6abdf6c2a8801ab991bf3b0cb855bfceeec4286dcc8a100684

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
555c658e0cab0d3f470ab627d8154f49

SHA1
75b2cce88ced70da6d13328bddbc7c93490e8edf

SHA256
9b791ac7436fc542a5acd79c338e2b61bc8b2f97bca02fbf6aae18697eb5d6d4

SHA512
69189e7d5cac02cd32ab7e7253ade8bb722868005f4a64273b5119c8c992a0a18c191c3a25fabc14fe988b254f6b86af66406d777f6b53fd5ff6dad6351df62b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
210529cc275d9bd237a33dfca4cf878d

SHA1
e9dbdcb2cc379da72d13e4702ba923b324b8e291

SHA256
179699499f80d50b46037070535e8801c4e1512843c2e2e0408faa8af4f4f8ca

SHA512
96b34b11e84d1c0ef62e0b198652601dcf984070507b984ae5de24cc716c9e4ef779a0198ca0c5a38f2d3f7f83f37affd45f1b61bd42683c910f8b5e28443292

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
5653f53ad4e96c9b4f02a1e9a741aed6

SHA1
89b4671d3db047ae4b6432aebe0a1bf9b63fd61d

SHA256
3dc6021f125c3dd25115c46afce6c88a7806a796665fd5b952468d5639f38d72

SHA512
bc5610d8af18ecda3eaa709c32e9c67fec9368b4acf8a12bbb7413a78a597999e36a6680d83493cc14664c70d6266e79401b989c3a8deb3fabda23541add6fd7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
1e140bf9a83714d6db6ff8abc55da5a4

SHA1
e2b322824466a6f01e0186d7a7c8226ea5f0f17e

SHA256
ca81a1b0e08577a6a31d2de4da6a944c60a4464b0420d4fa9b30a5de2acee2f2

SHA512
dc6cc2f48dfe7e00270e202aded31771596b271cca5eaf3795691088ae2da2220eaab960e0f44e98a0d384d9abc98fdd553d3e7f7c143a9d69e6c55cf89b03c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
11ea4b4ccc1dd508e1725f599249e3cf

SHA1
42901b4e145c32bc9e8dc6ff59288f5b2df5f652

SHA256
eb27446910935e0256ea57ff683c4ce997fb724dddefba48f7f45d670a4976b8

SHA512
e2eebe81da5f3e14065a18db16eab1348e070f2ed15192bc2714b02f6026fb830c29ad4d40515a7453722b48087cc5d093cdaf1d458c18e30fbea1cfba95e2f1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2a74dcc85e7f5c896df87541c11487cb

SHA1
8df68a4e430f56464851696642c0e01e154c5236

SHA256
6be1775eda672bfa656f20a235d55c2260d58d432facc0c45e019aafad7790f2

SHA512
8d6cb67d39565604589c55a1af1105e369fc2fdcc665d3e8fec1d0cf6df558c12b7709ea09263a15e99c40da42d0eb25d3a6e91c196ebcbdbc4e7d724e46ac7c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
30f6ee3a9bf18d1886a3cb4be36b0bca

SHA1
ea8c17c2a88406af3698673a44db1156f64c0089

SHA256
6c10a589b2f696625efe28020d25657c8b2f509a814c89378a48a286f1c534c3

SHA512
b3d17e481acb214ee2507229be2e2c017de51e496253606bbaecbc2ef73f06e916c41a55b669a27ddd8367db5076715d31127a1409957ef90b184b9559d2377d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
aaf1a67bfc198ef6a42d418c1896e209

SHA1
f9a1a71b0f1379ec930099ce483e2a9ed08da7a4

SHA256
6628c28d684dd70af30c1295e627f0708e8f7834b253fb35cca0f77a82de2d28

SHA512
1c70622529cd15c0c13d4fdd1fb196d4e777f08aa81a897c2cf4cf727d4ae931daffb3bedb5f99ce0f2b1873f67a59f07819d7b319b35eaf1aa640583ca84b28

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
64d4a2af0aabe2e6bcd6e25fe21af1cd

SHA1
4ff46c4eb9d1793257a37b043f8e31951d9f0b32

SHA256
ba8d78b1e60ffde77cb708793c05f410bca8779b91c609aa6b88836569419894

SHA512
65c4458a673741f82c300622f7bb6d58047cf8d071260b2d69f53fc67c60a87d44616b1605181df0062d49c3d8b966d07c1781cfac5f3590879ed0a2240f5dd4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ab61aac986418faae4961ff50ec89392

SHA1
dd64da2d7ef3881ef7d0a555a2fa3553072fbbbf

SHA256
13bf67a9b562d602778e139c7f53dac7e9422cfdb4f8e9d29dd983be4b6c5081

SHA512
8fd61d64cbe8225f807b4da3eb82a1b62b98110cc45ff57f686a60605a2380d55b65b01d18e2a405fe004da0b47958c14b5c39edaf57d865496d46bbbd8ef8ff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f02a52ffe5d735623e66c7ae2518e6a7

SHA1
93d5f24b6558f957509444898909b3ca573be214

SHA256
3f96721000748abcdd633516858c1d98d9b204deb64cc05d5dd7ccbf3af7a0ca

SHA512
9183f1e8a37f35f71e311bb8eb85a83a754608a2347aa91df3620c04b3d321f58bc01f94f47ffe63a389c7569a9c89a0e6e13899ebeab6d1572577d0f30a9624

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
16a3100a9b66d85a28c4fdfe5bbac523

SHA1
8f4e963338b1a7d4d2882a6a40f3ab141529ae83

SHA256
5dc6499b903a5582ec382dd995d80144c734f5c7bc84fe676659cfd934e67e1a

SHA512
038542bd4d7d2217cc61171c43cd8ea5137dc79cf25a20b75c07b493759aa8194bd635ae5987d1aa79085a03db1e5bbbb6b16046b8417c420e9803dc5bab0d84

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
845efd199a06347471ad188b6d8ee393

SHA1
96b575af6d734a9e2f240ccc52e42029fddb725d

SHA256
dc884d4993b99290e3913a9529fbb1cf70dce522f90d1c9fcc965b742d295876

SHA512
36bd985fc5b6cdfd71d08e22191730c81502ff3a472ec83c55f800a4d6bc88692b6a46e08129987998e090d47e32961422cedcb1a44cf9b6f8a4ffa7496c96b9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
2c1ddd1c4e946f70a6c0e777abf67bfc

SHA1
a5e4c82cf7be9dcf9961c011810528e8e98f7352

SHA256
856b814101a8e846959bcd545d0cf0e6f1bb352a8c7854c73b13afb2bc3223bc

SHA512
b05e3e6a6ee3b404b81b624291ff00be5fae9c24a1fe259bd09a12fb86b7a9119719d29d020f2b6027728f1404ffa010e772b008dc8fa5c0dce623ef54da9507

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bb263b3a3a41f0ad3e5dd71a527e26bd

SHA1
04ce5e68f76a4d09214f53942a5b5e1f30d52a60

SHA256
c8046e5f8eb14b602b1def24f3cdce081cb50ff21567b3f4f253f125432716a2

SHA512
1658b8a888c53f886e52458a0ae59be153c0f641abac6b719acb8a0f35c45a0e0edd5f97a95a61d342afb28df57b921a9e970c27ed795010429cac7ffc8123f6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8541914853650b4336293e6a5d71d5c2

SHA1
b90e0eba6f7eeb90d6214be760b783ccd8a63061

SHA256
210233be9e7ff04aac60144d82337a1f8a5dab518c3a22f87ebeb2804763841c

SHA512
da38483eba622d73793e7aa1fecf9ce93635c163778790468e51fffa75d4fa90f7527e801d80792400ab6378df6fa50575395f9c1f7eb09226a5445ae5f50c47

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
df568287222215fdcc6bd6075d87b8ba

SHA1
1aec63f52e4b3e0a2afcfd236930ebb757e729d8

SHA256
1b9cfd18c3abe508086c707c602bafb1f73bba0c960a1bf86e364b0cf59d60a1

SHA512
f129f142445e5becf803f2c1ceaae98a92c26aaf0047bc2a21346b9084c28f8fbee1e0d1e3e2e55d1f8f0e880c63dc98a0e6914aac26ebed864d62cc1c001085

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
d1d9c380e464b08b675a0f492054bd59

SHA1
698e3b03679cdc3a60ed650c074625c8aa80173a

SHA256
adae3b0af5f9ecd5ba6192ce879ecff84766f9603c251262cd58a24e30cfa3e8

SHA512
ef52fdc215103c1875fc96ea1f6262ae2089791e2cf757a7c63e0ab7aa015f52fdafd927699069243aaf8cdcb3175a6183f1ed17e233b60f3f89384036c71a64

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8641d06fa0fe9dc9ae8753514758e5c6

SHA1
dc90c203b4d8ee0830891ff041057b0c715765dc

SHA256
6759a20e70887234311293c8723dbdba7a88eb7d798abfc7cac4e342ce710f76

SHA512
0b01b8adb823e293ab2340e73103070682b4bd7f0bebb76e57e7744af7de95e4a2d00b7417fdcf4bab04f86d5d36d0693b352872472960752c59a5400f1ef39f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
dd37f113eecffd6d92f68216347a2f4f

SHA1
9eb137c0d627c494853614ae048e003d5e00baae

SHA256
2ab538c2bbeecd40680d5a21f8178838eb8d8297247b7940e41b027edb571394

SHA512
12f1ec4b65b05cfec5b01e17da3ed5fb41b9e8015272670aa4e4ef7e3eccc78d56948d08f44b9baebf3fb07a6f1a633845f0b6c01de374732119cb7849cb3c8c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f8f2cd71eee5af6ea532b2ab78d5d66c

SHA1
46e174530d4840dba1acae8006d84a33f5efd301

SHA256
34830ed27657f739edf4aa483986bc45415265d924e21bffe809f5718e246f5e

SHA512
f102857d4b8e518d61a4b6c8a12f2d02bfeed63e7ccd6241911b381aa7857fb13b9644e3ed3a9025262993a816efdd298ee14bc0a36b0fb589aa451db51c455a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d643017a99a58f4c3a1607db78c4d153

SHA1
c92a744597fe65de42dd6c2bd45a1717a47a9ac3

SHA256
a4c87c058a6f0407959f37e2f726275f1c093e5f3247c77f1e96495601459607

SHA512
135d5ce563fe9fd1f3b3a838c575680ef15dc30f750f45020d94785ea1ba4aacc12f43775fc2cc285f6f8e9999bc4fdb1c7eecfbb04697a95d6f35bba418d938

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
cc24b88f4d5e64228dd6237ae5cb3956

SHA1
3809f19182b99487aae9b8a4e504669c81bde5b3

SHA256
85f04048cab9d676728f82ad536a33bcc360038f73aad10e79b7f1c05879e4c5

SHA512
8bd7464a55fb1318896ee1c835f099362f2f1193ef904bf65c5e60376971d782c0a67a619a5c86ef3bd2644fe1f8a4094addf66d56669c21927df1424e141d9a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
c468371cbd89c5184f2e1eba257937e3

SHA1
1a31f8285ded915158d669411b3c5f2fe6565e06

SHA256
8d7033d5a54ce497f90a80303977c440ab5f709d5ff6b1d834b58bdde9a72fb0

SHA512
dce98bc43bab48671fad1fb306f41f2a323d29a51d1839d565b200a3c8d9f1f041010d5d6bf058bdc91aeda8a9af6ce64ccd27e4ed07d86e18279e519fd8ff0c

Download Submit
memory/760-166-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/884-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1148-163-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/1236-157-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1764-153-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2008-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2008-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2184-515-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2184-13-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2312-161-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2472-522-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2472-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2764-89-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2764-155-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/2764-83-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3424-162-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/3652-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3652-524-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3688-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3688-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3688-520-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3688-39-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3920-136-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4052-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4052-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4052-24-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4172-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4172-521-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4172-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4260-8-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/4260-1-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/4260-0-0x0000000010000000-0x0000000010150000-memory.dmp

Filesize
1.3MB

Download
memory/4260-368-0x0000000010000000-0x0000000010150000-memory.dmp

Filesize
1.3MB

Download
memory/4372-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4436-68-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4436-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4436-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4436-64-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4436-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4664-96-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/4664-101-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/4664-156-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/4680-164-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4696-73-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4696-79-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4696-154-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4996-167-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4996-523-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download