51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
Size

1.8MB
MD5

26902654d0449861ab06453ec59e54d9
SHA1

6f07077af9bff18d2a256d77d66eea530c56180e
SHA256

51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712
SHA512

2bf6d1419568262069916cc2cf64d513d8b1d2d5a8d0443dcd8d9ac009e1764c7e4dec7d3cd90963d9dc0cd2fcc0fbbf246e5eae213222865a00de82b25392b1
SSDEEP

49152:BKJ0WR7AFPyyiSruXKpk3WFDL9zxnSyDv66mG:BKlBAFPydSS6W6X9lnBDv6V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1028	alg.exe
768	DiagnosticsHub.StandardCollector.Service.exe
1816	fxssvc.exe
1932	elevation_service.exe
3728	elevation_service.exe
2972	maintenanceservice.exe
3036	msdtc.exe
4804	OSE.EXE
2440	PerceptionSimulationService.exe
3392	perfhost.exe
544	locator.exe
3688	SensorDataService.exe
2400	snmptrap.exe
3884	spectrum.exe
4520	ssh-agent.exe
1868	TieringEngineService.exe
1268	AgentService.exe
1536	vds.exe
2876	vssvc.exe
512	wbengine.exe
2744	WmiApSrv.exe
4816	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ab50e061d590e271.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\vssvc.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\msiexec.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\dllhost.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\locator.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\AgentService.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\wbengine.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_pt-PT.dll	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_ta.dll	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\GoogleCrashHandler.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_ro.dll	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_fa.dll	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_ru.dll	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\GoogleUpdateSetup.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bdae48938b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a39a468a38b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008525318a38b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021c32e8a38b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cb3dd8938b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
768	DiagnosticsHub.StandardCollector.Service.exe
768	DiagnosticsHub.StandardCollector.Service.exe
768	DiagnosticsHub.StandardCollector.Service.exe
768	DiagnosticsHub.StandardCollector.Service.exe
768	DiagnosticsHub.StandardCollector.Service.exe
768	DiagnosticsHub.StandardCollector.Service.exe
768	DiagnosticsHub.StandardCollector.Service.exe
1932	elevation_service.exe
1932	elevation_service.exe
1932	elevation_service.exe
1932	elevation_service.exe
1932	elevation_service.exe
1932	elevation_service.exe
1932	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3116	51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
Token: SeAuditPrivilege	1816	fxssvc.exe
Token: SeRestorePrivilege	1868	TieringEngineService.exe
Token: SeManageVolumePrivilege	1868	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1268	AgentService.exe
Token: SeBackupPrivilege	2876	vssvc.exe
Token: SeRestorePrivilege	2876	vssvc.exe
Token: SeAuditPrivilege	2876	vssvc.exe
Token: SeBackupPrivilege	512	wbengine.exe
Token: SeRestorePrivilege	512	wbengine.exe
Token: SeSecurityPrivilege	512	wbengine.exe
Token: 33	4816	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeDebugPrivilege	768	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1932	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 760	4816	SearchIndexer.exe	110
PID 4816 wrote to memory of 760	4816	SearchIndexer.exe	110
PID 4816 wrote to memory of 1720	4816	SearchIndexer.exe	111
PID 4816 wrote to memory of 1720	4816	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe
"C:\Users\Admin\AppData\Local\Temp\51de9fdba31d6352d1ef0cf0612ee4d085d39ada27693df79e956649f6b8d712.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3232

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2156

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:760
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a55f0648a29a38f075754fef3aab366b

SHA1
55888b2cf128daea7c04327c98adab7ba6460ca4

SHA256
1184c9baabc7ee5b21a1f28dde47644d9315b436a9d6c4e072e794a529ef1796

SHA512
d1245e807ab087b64a8c707a55ff8f6225019bfd5b18235c162fe789dfac9d90d9a0acc50da3aaa06472a8918f80a763e54065aa656c754f1cf1b0e1b1c1e2df

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0c1bc33b81ba7efdbbafdc75929e7476

SHA1
e722dd99d0f3b1a3b37cbe0fa63dac93202f31c5

SHA256
11c78d1290424f456f21dc2a274788ed78b5878c66fd05b2a57c5a088890b420

SHA512
757373c9893ffead7651e5d1d63b567b6e94ca413ae09f7b0f78f033be99170dc1fa152d812422a1b6dbf8cfd6d264c94c8444d8cfb496c0282d1dee9de0fe9e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4e92123c46831a48f920bd0d5924b1b3

SHA1
f578756806146aff1b903c066e7da9eb897f02f8

SHA256
6534d9b0ee01e8fe37ad172af00c5561b7133adce15795bafb0916fd8f4e4f6a

SHA512
1bd61f1b2292ba3d5ce36d21fc2b61e90dd428b3e15f00731b077172384f1f75757a17d3b79c2a2a70b3d14343cb1b10e3cabba6d8f54d675a96290c1daa3eae

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7b80bb910de09f35b1b0102db56ca46f

SHA1
d40861286215610b583eb4400b1b227f04bc63a6

SHA256
22b4616b16e0f8f641bff342c82d015936d6cba5ad3ed7f39585d3e040624379

SHA512
16c051a01f09c5122f4a527f26add30572f63b485868151786fa58484fceddfe4b0a6bfe54f4e8f821f805e445915d1a10943f48f9f8cc72c029e92be09e3023

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1c37488da5de533b080d675dfee72e74

SHA1
5a6e7feba99d8caec3302a690d3c7d0100e5801b

SHA256
711ba6474086addff565eb4964b61834ecc45aca181c5a6b765a2c543bdb4fd4

SHA512
dc6261d87dcd0e789d4e3aa42a83dfae443173ccd76c91f3895f1e45c10c2021ac7c8c9e8640ff13c31a89e898e831b0764513a5bfb673f68075a338457fd7af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3f862221c4a079ea6ab4d4e0db19fbb5

SHA1
2f55f1b1220e40feb9bc596d9db292a16c106e8d

SHA256
1fc723a50505261d995eb8423f07d5ed5406c9a4fd8917d34251262f0b5c0f1f

SHA512
d09b32fcdf6211edc8f74275e39592300fdafb17abed74a8370cbf8aa7c4f7b5f6c8de30da8eb4712a7ebe7ff2cf0eaa0eb1f09face6e1e005c0e9d48c5ddd3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
eba9ab93ceda3d493f775ad78bffbc78

SHA1
19138825b103aa294edd41b2067fec360dd316b7

SHA256
a5799424308d3e47501939560ef5be6e46e4b66f42b8f36a959b3482783ef77a

SHA512
22d0867a5eef8cfb7139f28d26bac155412c43ac9b811120cf6b1960d069aaf3f4727ddeab78f80c51e98735d6245d8dec0fcfa29ddffa0f3c0e4b44b716aa92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a9962e0cce0eae11f49a9009ee6a36e9

SHA1
f36ccd8ed26a3af6addb757c4b9a86eb27f323b4

SHA256
f3230f61fe540a8853ebe89b61706581bd048770b78eb95853273d4d93235797

SHA512
2e04ddecb892e5f03d0e9b08f0e2790239cab8a185ba5d080c513b3d43e4157fc59835f1b1596fff75cd65c87f01044da13fc35d6072293d03d7766cd74e6094

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
472f273e8a642aa98d2950d671179149

SHA1
41942778f7f6008f988f409e2f7884def8ca27b4

SHA256
2a38e45abce9b85f095dbd0a8520e6cc4ba831f88d9dd31e7a4dfa4fb85b7b7b

SHA512
ae59a6004388d92ae8e8721eed54e19cefa84dd6e002acb9062591ef1836461e836bada08c8dcd72cbce6e01849ea852ca171e4bc347cc6d96fbfe2cb0b48ba4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d6214caaefc2a0d8792b270064f91c56

SHA1
24202d9afaee2bef67532479b4f4748bd62012b9

SHA256
3c472d2a619ca212988520466a69cb8fd9c6a8eca18acf94b6c7ebf438a03428

SHA512
c0d10acb0666a88a986149e8c8c69de8a8b17952b0a3ff31b0569b5993b45e580979c9e0875aae4f7313039b67399d5b255758307f14485c0f8d2b5b0a2d7e74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3c221cccd16e2845ac89dfc9f8a435f8

SHA1
5c8d1d0638c2b3248a5fe9409c38f91ad362bd1a

SHA256
7cf5d273765b50159b193f7f752922c692231d7599c418e53ebd4cdb89f4a731

SHA512
acd0eaa649d55dc54e7dbf8f0994d0315e7ffb3abe80cc0204d1256b5f460b9c445ad13431fa022d7e1ca1612ca2b46bbf0a062a23c75e860876bfdd6a5d7018

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b856e64c53a6d1db14339fc579e52716

SHA1
1c094da04efdf68e406ff91ba7cb25b3846da5bd

SHA256
9b3fe37ee9a45613f9bc48f8fd8167297ececc95cf28d55b1f9441eccc8e707f

SHA512
227e871c9b18ef7223738cccba2e7368a4a65b4ed300cef8f86ded693ae4aafd35b527e6c3c405c6710deed5dc81ddcc9d853b797e472e181f9a3f37945fc4ec

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9df61b987d259250e810ffadbe727bf7

SHA1
5d5c73b872c0ef2cfe865a894c380ec9d512a0d3

SHA256
b881408a7575e68f810c1828ec7e57faba36e92e099f1c6058e18974e62553df

SHA512
fafc407c46cca5651caeede60da0df29148c56eaad58711b688511797eea5e2bba7aa0497b8ba658790181dc366b2ae34f5183a15279dd83c496bce09062cf71

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a91cc890c65182540f1fe4a0d450bb53

SHA1
030d7d94cd14d67b1ddda471d828323f5efddeb3

SHA256
fb5973eb5018302439e9c7447388d8079152aa68a83f66d8bcd77c6bd1182e6b

SHA512
0b970dd5e36b335c8db840a5d704bc0ded4208c6d445f9d4aca39e19ae23dfec5e8319e746e35a0a5528a4ef3570f5f0b05839976bd8cf4ed95f6a7f28b98f14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e3977e583ad839641d9949522e8ad81c

SHA1
d06a73e241ca6e2c804dc1de9a1119fddd31712c

SHA256
e80840359f2b3e96d84241fe62f959515b6cf5c0e11c828a2a3bdf3ab0c1a2f6

SHA512
4be0e4d1ea21ad6972cc99303a35ca8432e600d5478ff6719898cdaa7c33875c532bf4de8de8b0cf049d574615b30dd8d51d0e5ff147f45c5ec301fa64753bce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
59477ca5405e1470be3f7af300ff49c2

SHA1
895413884fd3027b536cc428de95da80b7d8c3b6

SHA256
f2e2c03baba8e9f6e2c54a9c0e6785c538c55f65a398a6eb740104daf1273134

SHA512
ebece48cc4e2be0e6ed8ebb51a0c851c45a648a7c4bf3c2d141b35f21ff28306e6503373b1d7fec5915e5d32fe70e21912525034838fa5e2c6a04bffa2ccf3f1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f9f4abbbb032873b813c0cdf48439c56

SHA1
c7e3b9b0322fe8b2979f65e9e483b4a2b537d0a0

SHA256
9e8711fa6b4219bc97baaad8b94082e34f3a08b72f9d4563c460abc44daa23c9

SHA512
1a101251b7b83d04c8501dd3b0a8dbb21444a54e0534a7d46da563ad69b392c6139abdda12cc0b3c0082f5f819fa773b14ea183d3b80e79985d5e88aac581774

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5daa59bf5b5f249be5c4f2e5b1636c36

SHA1
aa3b783d510b97cedd783e62ca7459fe281431a8

SHA256
45ef2c5966cbdf629921b28638262a2e70d31813105fe8635122af8eb0f2b09b

SHA512
f26198eb21c419f7142da70774ef64cb8d3f91945477de5a683fd3752215bf5c19bb211fa1121a7f555fda5417e291917efc259da3b68f9112ed1e67a68473e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
de11f210aa4b6e1acfc82d57439ea1a9

SHA1
4685518a4158c5cc4c00492b8101315437ada1ed

SHA256
caa95092ec313e3b7c52c422024e738dac7b9dda41d3600db80106a1603aaa7f

SHA512
fb6de330caed1143302c07c9b70d865ba9b1d09560cf8b3a3715a4d8c82b7e1a6f70ff097e0ef9c70eb503989ea742fa6b8c12379101a8ce8010e48efda88326

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
95b5ff63d80f49772458a835872671f7

SHA1
60099a8bd7bcd149275977b5170025bd9cfcef35

SHA256
b15c844d8766db58ef95b1571b2805d51c521f5ea85d7fc13dc9a57d00cbd08c

SHA512
d7e2b31556242e70c4c1d14cc471683379b8f850122eebdb0853312be2ef6cdbc5164128aee2be8e687862af2ba75f2119148cbd59c97d2437bc7b48ba77b15b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ad7c26000746314acfd99d12beca7caf

SHA1
05918672402e754421e94928f80bd75d664798fb

SHA256
dadfb199b4de65562be2171e33987cbcd74a79556eeb0fb958a0938299165984

SHA512
d595c52014009dfad73bf108fae22247fbdf5bbdc2d08d19a6abc53c2f3c9df17abc86f8206fe8d1fcf1ae09681dbdf89f944d62f14376a5556e1a2e920e2837

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
798a101f58a05ed64d5ca10602582c3d

SHA1
4807988382690a2fd6e1335f0a97754c74a1e950

SHA256
29e849f00c893e1c24d80952d4e224225b6d5599ea23dbe9402514f8bbfca7ed

SHA512
6bf0abcfefd36c7b9294122987bcffe6abc29363bbdb64dad79df07a75ac29a236f6d9d941dcbb4961ef3ea0f7962981e2f7c3b589d74c85a58cd8b6ebf0563f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7539c73cfab5c672a6ce93056f4bebaf

SHA1
0dcd4d34f07b12d5fc1869a07e17fe4289cb4c27

SHA256
930802a5d2108078a68207e6ee4cf4205cee2b0807570457dadfee22caf867bd

SHA512
cfd8b4ae86f8e285ca2e68d9b33dd9077162d318801ea94a3d40e0989127c739b667291b13c41ab336331fe7019044690e6846c3588c6edccf8f674ec7239eb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1c47658ca7e1f2d392e34f623fe3f888

SHA1
31b8bbae009ae971ee5c68cae045d47a4c13caaa

SHA256
5a2d41f904b1b2e29a955c832ee3ddb7af7454ae12f4d87ad3ff3c532dc16cef

SHA512
ffcf2f08ed7c56edce56bab35d023f6b9fc3189bf8b982538ee23756e258015d620081120a01b70f4b8a46d8234debd7941659c5c3cb1812368cb4c13fef7885

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fe60812e086dd0dac78e9756ad7716f3

SHA1
ccddf6e47eef9a20cdb292274580bbeac35d8f73

SHA256
b048127b4a5d873bfbd2b13dde41b576335b4b9f9a281718c235a994c8bf7389

SHA512
c2606bc9bed0248cebdfbd17a04dc486f4a6ba8d459be14b7b13ac29a8b7766dd1bbf7d00f44bbf69c1d7ca1e897077bfdbebda1ddb46d82118733dd5f448421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
31038344fbda7edd5ba69604e9532973

SHA1
57e55b9ccdfbf73080b062da4698eb965c4573fa

SHA256
327f2b1493aa69eacf81852a433858c86eb6611837ea3193bda6ea7905b2cd02

SHA512
8136bf3e9044743e18c5af49fe3013de4175c87431a1f07f968698eb0ff1e0d4e9839956599a6389d6a830178a28753904d9a1cf883a3f1b53aa6957708f62aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f485b6641fd3c77d6ee1e743de52acca

SHA1
90d2758e4fbebfc1c3244e68f257e6085bae52d4

SHA256
37a748f33e94234f1f7108c90af760ebc5a2434b9faaec649e1d6a5e03c67db1

SHA512
c0e1f4aeaf26d86e230d2574158205075d6ac2c037a53c8e738b99a5972ff5a68d7f2e3f0452c1758494ac3d2b4f3f12180d29331f68aa028e5201120bca2a21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
088efe1bcfbc51229069f5e5d05d3b5d

SHA1
fdf25073efe44c0a4ce64ce582b2e66a1a8a2a51

SHA256
7eeeba9b3cedbde741a7c5f6068cd5d022e1e50a21213e99f5070505d7199168

SHA512
d34ca9378962bb3d069ccfab773329b9897ed45fd235373b71f248d32088f6590d86c8d1d3910f72f0fbb0d6e5fdfc58533f4599d2388039e0c76534ec6a5b2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0e8c63fce713090d8be6a80c6882d35e

SHA1
27f0a4de585f1af4abdb13a11d00b1b03aaefe6c

SHA256
f716447391077340571c74f176467b688b48a475c5e7d35046017e7f104b390a

SHA512
879ef92e1f5a44493b55c95466f516977d00f347a1849e2b7ea3060a24e10f3fef97cd4cfd5d30d688128025b800d2f7960c89e41ea67ee6856b811f8b1db3b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
48ae92742d7c6c0cf8b03ecb2982f65f

SHA1
744ba2971d5e2dc0023974d86785a97a3e68698c

SHA256
87c97c551cf13e4d76a27e80071bc6c984c3a35c6935c0336d620f945675d458

SHA512
73f98283cf26772e384a2c0c1311f803f92bf1459c6136125e6e53e6b579b68dc8d3ca33e70c2bdbb3913d39600c88ce9d07d9c9cfe45b4bed532660fa23480c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d24ab6adc36b3f0bc9d939d0b8f2892d

SHA1
876b11ae03e86dba57471a3a9c284a01636a9794

SHA256
8aa4e3f0bfacb71cc0140c8b8417797c6b4a7fb26f176d454c36a7c9494630a5

SHA512
08eafaf977d65284e013ee92f122521d1eb11e3e5c8ba4055a022d0b39456d857a0c88b1ed83b2f678b20b6c5d1c9ac189e8ab2427ff28aeea80355d4e92b7e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4df9faa739923913001fee4434fa4eba

SHA1
9bb7662a2016da1827d89627435e886cca59f56b

SHA256
975c25f01d5bce2accefc5ed2693c29adfbe7224952af8d08131b5410ca3a29c

SHA512
054aaa46cea6c89722048cfeeaf96531e5757bf19c4f49da745adc39a13466375ea7fa6c08c950d733535a40715454dccd216c5d1b7e188f1a28e3531d8eb204

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3faf70d5b39cc57817b2265e2b87bed9

SHA1
b80ccc93ccbb282fbedbabaa54dd00da4651d582

SHA256
9be13d951718fea7386c535e61c060589b0783b2bb9b838b0b6c5bd9d52c5d81

SHA512
503a70c7746149a5fc64418e0e1867c364bc79f4706da0eb84e8902369abdbadf139ae17e1034beb4d1ef068a8ba6f9cbfd9532dc6dcf1623c31869741804168

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
d0a127ad4e3dfbd1544f694e3afb9ecf

SHA1
182ff33c8f76c811bc36d7bb4312416b362a5427

SHA256
dc7cebc8a89ab4955d47f50ad7ad7ac976af6003655956e82a66cb5ec5d15b18

SHA512
6ac492cd7211fdb8543a9974747b0a5d85649f6951a938f0053ecfac1926c979e195e2f50b89990f62efa2a4b8bd9d65c04a1ea579487ca90b95329af341d741

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
161f73ce82b276713a0fe06e752a9802

SHA1
43c47b738db0d4dbd999762409f092093251b1b4

SHA256
89b758dd97c9c8dd9473cc9ca9008d6e0304c87924ddcd88f5df91df738d7907

SHA512
1e938c56409f93c6dab9931ee53085cd5be734e3efbc633f3d30079df78b3291782acfdbb9e546c89ec5ea80bc4cb94a029e899234950beeb637aca5055e710d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
02f4d08c15d0ced8a1a457f2dad32264

SHA1
27642594bea71cf316bba2ee7f98c4870bd2d41a

SHA256
53ae2f3c91cf4815443220d75071cb8b1e69aef358856332747c29cf9e908d87

SHA512
5a1ed027f9f462e06d4c0b6f7cc14608153f94d47ea79526ab6b853dc04e396a5ab73875b4fd13655b448137d045919dff4a2aca86e096f47baecd285dd1b9a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
50d2fe1ed9deb105d4a75dbd9f52ec18

SHA1
c45bd94a703d352c9a0aa6f470a4801b6f26768a

SHA256
dd55fd829609326c78c93ac4f8a8c9f32248ee0e6f0035ae9bac183beac4c9eb

SHA512
6de092a364dfd0e014371a5b37bd8c79c2eb7d73ed6137bc2037648ab1abf8da6f14349170b2fbf2c741b1c75a4543d3fe96ba11f3e04380ba0a972e99572a01

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
67aca1c0842d7520f4876ae0c1d55f8c

SHA1
5fc8066b4bd9cdc13d40b8241a06c90483cf1bf2

SHA256
4c336588c8836545364bb582f1c71f47c399491a21a354ed47f57fe06ec1effa

SHA512
c0dd82ca28c44b577d9e8c04b4e172f71889fab0d254a014b059ca1ab6b0073eee9f6d949f8e2c5f615a95269f85ab3a063716a5071e7ba5cf14aff46675d4a8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f16b4c5420e34581434311804d144367

SHA1
38f1e37d3395b403bbdd1ec5c4ed698e7998daea

SHA256
1c761cfde200c5d4657e4f71ce3f52f721738327121b2146cf1d81b08cf65c1e

SHA512
7896918fdb68cb07b1bbb4e55b59491e4fd1ba65b568022f5b283f0ad20878cb8022c88c36262b7b6094c8a255631d6128b233ea2e969c3f2211ce6c6abbb72f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
dbdd66ea6a6fc8b3815801aecd7d34a5

SHA1
e15a1757639affc27f105a4ba4b43c12947d7ed9

SHA256
03b7db04cee35f7aede5907afbc096949307d045bd64fe89fb671221c5cd1adf

SHA512
b1124fcc806e8b879f59a0e9ab192b2c21cedbf5545e425d4f6d050b5c8901abcf07baa43701a9a54462a81b70fb5b2007304aed5da10f39aa63370fe2260f66

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
43622a70a1dc0d0662e1e7f1508424a8

SHA1
b59c274dc3fa852f9df2cb866f023bb64d1616b3

SHA256
59ad788ada00fd8c95d59e384df6c7643276eb23d93dc71351c31f0281b03f3a

SHA512
42347c2cdda6f511f1e453b6fb7217be91dd510139883b7f3be647e300f84d81c65aaf60c63b3ae1ca83676f39be809bc1ca75059a743e5e595b46d028571c5b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
eaeb6994dbafecd1ba9c2f56cd3b84fc

SHA1
1a4097db60cffc182bf16224167d61d92fb3ad11

SHA256
72ea80e456a0f133ec6edb2ca25500f6f08eaeee3c28cd35b9ec70c9f12c2577

SHA512
d41c2f6df719e08d701b54ed76bc03456b0779c44d6bc0e501f89e9c5a9350c5f2ed978225d8eff2f43c70dc2dd952f9f6c057ca5fb29434293cf3647a2b7552

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
010665e588618a2e3e44b101cc314353

SHA1
1e46b30c1c853107f9685be5a2e5bb5b62336831

SHA256
c057a6fb54c0760e6a648997a7583562d930fa11ce5fa707629bdc875203c777

SHA512
7e224db2f0900ecc33d8a6a4028851d42e2213ae68db64e8ef678ad2316108d149e981438636adaf50f47444d2824818efca83a4d939924a2a4168af39802f72

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8d4759bd10af4828accc595b9902bb77

SHA1
ccc21b1c68174efb517a9dc9a4c8cd484693fc61

SHA256
56d8150fb10330ac1603047c0a368c90dee4dff65f809d6cffa03adc27bb32e6

SHA512
0e4f640dbc55e23a264e8816bc4027b99d7b2e47b3ba487148000001efa02540d29c109e2d16ed977a960a08f78da0b55ba7b1d679f59c5f8161c3d796059886

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f071d10dc6f7ce47604590b6a7be2508

SHA1
e949f8bfdb294b6b521c159c0551a3bad9359aeb

SHA256
c3138eeb6639efada104a85c9d07fb2a4f4ac58f4b3af700bbbcdb0fe2b7e99e

SHA512
5da0bcafba9dc82859523fef8b0b5f21788bde914d3138f4a177e0225e44d6f3ace1a9f46c737b41c3ee0b866f7b9f57619ab551de650203ffeaccae7838cfdf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9371d53b93031a537198d8d09db3527a

SHA1
d32707682dfaca1a8f9a7c8b1a0885b9099cb374

SHA256
a85761561de89d64e762ad0ba310f621e78c51f41675ba8a3c8c0d86cbc36348

SHA512
b20e85fc556b8d9cdbc6d3b73ff39e6e09bcae90fec88274f35955c87fb67667dc44f59f200f9caed435f08b4cacc1635f32ab7c53643a0836e9288d5d0b489c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
15ac4185bdc14d921975ee615a915e5e

SHA1
a4498a8e19c5499f0d634111cace65c5647fd054

SHA256
04b750962eb6e4cdbef9430473ce5645644c22d16a8626533949cd8bc73d72af

SHA512
a0f448971566bf63af30412191b32fc2498286ddea08f1289063d9131d6117f5d1a9c275e14942adbcfc3f999b3079534efff528526ca9e877a6d31ad18d9bd9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cebc404147d4f416e01e7d5dccf153fe

SHA1
3fb9ee42a3904b69e71e8cd39246cc39c54118f8

SHA256
b9006bb1a18c4778ff16310bab562b3a0335b8117c9ba5a91e0015773615d089

SHA512
3f0802c2beaa62543054c285452d972c76e09ab403693dd567a5c55464f7c15712d310b5d96593d327f44977821f58e4fbdbd5456501b872e411d0f9fd06d88b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
81c46958d4dfc41d544fe95b39c8776a

SHA1
28e321d723da8f9367b148fb8042db6337fd15ae

SHA256
aa08653f30e42298e8ca33da8d19e2f7cda7c869474ee4399da5fdc8ff105537

SHA512
97183d1062d5b08a5221d785d01d4b560ebfdf386b9a360aa96c7eda3ef7221d42c1026c93962d1765e4751be54b5b66594a12a22b6034e453d8d2b71b3a78a9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
efac301f10fbbe10c0d1c6238b8acaa9

SHA1
fc5be2eb5036b67bfeb75a9fc5de30a62105112a

SHA256
1a9d04cad0d510c082691d5f0c63df16745223509b5ba85ba1327d7ae546f387

SHA512
1c0176aad6d760cc7feea6fd0182a9d34290d4f9173c0733bf1d9849bff7769d0f1d39d18086e95d6ceebd9192f54b953805b7e2ff40b183e0a5cb99348a5495

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a52feba018344313790327539b1074ba

SHA1
9eaffb21fbab0e426885cea2d3115af70cd04a50

SHA256
b2ec2d10977a7bbad2beeb765bcea5918f0d3df37d176d7e25431fbe5a47c191

SHA512
7ae74780cff7e4c8c28a75e4be0c5ac969b3862d90faa69066ad3bf7409d29eb7fe0873369e189f6296e490a7b497e2a3936729df7513a83155394b6be70da89

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ca4022b8e26c0cf39a92129240528541

SHA1
c5a0c2db02732e1034fda2beec2f2e4ffc4ba4f2

SHA256
384829d446aa543923f69182b2fdfb9b3ba35a9fd8e5c5427202c7075e97aeee

SHA512
f2998cb2e03d563b4c16ea6f8d28e3e4923e533f6b70482203f5ac2c59f599ceb331ba8ab10b5ecfac13870db1aaa3930cab9731e4631e67b9c85efac2cd2b40

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ff5de8f3870ac0c35e1854c83f6fc07d

SHA1
c1625aeff943bbb0ba37c89874df3330e7755455

SHA256
2d12fc7cf07da710a82d7e23bc1f00e291ddf5fbb2788273b648932bee8a90c5

SHA512
8838f939d2597693037385fcfa49cc57e162c69dc17554f784278241f55a25f188171eee59711a10550afc48cfcb049aa4be55761f6a06042b359f9b9b6bca99

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8abdfd902c25d38e6f35e262bb5cd7bf

SHA1
bb07d942bb138f4747a4ba005884960eb756d6dd

SHA256
7f8a2ae9dcc00a832a5a7089c84035a7f28dfba6b5957d874bc17ed6843650b8

SHA512
d8796b117667987332f1e0b03ae4e3722f18c4c91d4959df719cd773fc6ed07ac6bfcd14c05aa262ea80e5c95db4d7f503055585cac944c6546d20c2ff163772

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
13964e801c2772864c3dc5287536bce5

SHA1
dfae0a68426cd428688ab0f24eac1c88e46fec88

SHA256
06a5c1ce08ac032504d730b85903871ebef23be4805949bdff14473cc0f814a7

SHA512
04957a3c01a798a4fe14d6167b4055e212d49f1f79c16c00db129c75f07445ea7249f55860985e75fca6fddfcf0e9a6a4d64338db6e8a75608b2d541100a383e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6e2c7c3127b7bfcdcb7767b9cc219520

SHA1
dc5b13135ad0cf7ff6cf419050d19acd8fc2f83f

SHA256
0b465e8d17d9977b3fbc0b314ac4dbafecf846df65806b0b8b5cff5df9e3b5f4

SHA512
f402ec9c01d833efd569d8434a1144455bdb4ad28cf5f02302f81897831757d64b524680aba2f6ba8fbfe581cdf20a0cd88b3ffaa038482ed7819753a356c479

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8c589244a44560eb31784f7c93517608

SHA1
277c295de22969940e82a210645002183e7395bf

SHA256
a88d8845da8883ecb6f8f98fb89c776fde71723a5ebeb271d46a6b80d8b7d035

SHA512
dc10d40018180538fc5bf0e8d63c3e7613f09cf098d44988a5a8dd80aca23a41c2c2ad309c0545038d8ba0e6a1e140d4334afa477a283fa8909ddb9175566c2c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
735aeb50bf28fab6436d9fd5ca976b09

SHA1
827676254206687f38df0cbb82802516a85bde6c

SHA256
bfeaba6e8ef6c14ebe84cfce63a4d18d422803ba7085de33dab9e06d8cfd8c61

SHA512
2920b69ac2e9e5cb30250ae32e8ade3b283acd3455495c9d44c7120c97cf161e1f99ce23a1f83c26c5b1e98210d226139b97232481e0a128a8f96eafac79cd8e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
e95572433c3fba2b3ede96d8f564a5f8

SHA1
bf01793d97faa7c0a7a0015b373af01676d3eff3

SHA256
76345ef3f76c5c6c1642b1b12f523cd753763d0e0d97c6e5af339a9d38fa25e5

SHA512
2fd6262c5b38532b7632fcb2fc387f75531b0016b72a51648a4cce30cc31eb414234440c40841a2b5c589630b189d8d53f16962019b5670b2761447196b87cb7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a2c10660d4f91f9e0164d6a01f6c13a2

SHA1
557d5d29f43e7e0efc93a1b190d8207f1aa2de0a

SHA256
4192f3ff851dff28871c781c9334e73d0149b5702effdbaa5e53e44cd1bd2c42

SHA512
7e3a0d2a67aae53e1b4d3b674d052e83442118a9bef44d4716d5ccc7e6dabf8fc4ea5c4315b760ad01f296e20e76f7fceaee882e5042f627bafc4238e754708e

Download Submit
memory/512-610-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/512-230-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/544-179-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/768-64-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/768-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/768-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1028-178-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1028-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1268-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1536-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1536-606-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1816-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1816-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1868-605-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1868-213-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1932-106-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1932-196-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1932-100-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1932-109-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2400-383-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-185-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2440-155-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2440-164-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2440-162-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2440-224-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2744-611-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2744-233-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2876-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2876-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2972-132-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2972-130-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2972-122-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2972-128-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2972-135-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3036-137-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3036-216-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3116-2-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/3116-161-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3116-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3116-8-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/3116-521-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3392-228-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3392-168-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/3392-173-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/3392-167-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3688-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3688-181-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3688-236-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3728-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-119-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3884-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3884-599-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4520-210-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4520-604-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4804-143-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4804-152-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4804-149-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4804-221-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4816-237-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4816-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download