dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
Size

1.8MB
MD5

bc59e62953d000bbb9cfefc793728f64
SHA1

c5edd3a4e27587c400fe1c956dca3cf4a3bed93a
SHA256

dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2
SHA512

b51787c188e264e24fe55a73c284cdcc6f830372b24a8cdaf8ec825fed9a5d606f23e39ffdc5238904b740e64a2c5edfa110c13f5a577ffef7f19f03cf8956ba
SSDEEP

49152:MKJ0WR7AFPyyiSruXKpk3WFDL9zxnSyZe2u7gisV5:MKlBAFPydSS6W6X9lnNehgL5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4936	alg.exe
2464	DiagnosticsHub.StandardCollector.Service.exe
5008	fxssvc.exe
2388	elevation_service.exe
2896	elevation_service.exe
920	maintenanceservice.exe
4880	msdtc.exe
5088	OSE.EXE
3580	PerceptionSimulationService.exe
2988	perfhost.exe
4268	locator.exe
3888	SensorDataService.exe
3424	snmptrap.exe
2052	spectrum.exe
1812	ssh-agent.exe
3268	TieringEngineService.exe
2344	AgentService.exe
1052	vds.exe
4332	vssvc.exe
3452	wbengine.exe
2692	WmiApSrv.exe
5168	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\locator.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\System32\vds.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\68cf3ecec3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_bg.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_no.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_lv.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\GoogleCrashHandler.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_am.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_hi.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_kn.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_sk.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_iw.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUME06D.tmp\goopdateres_nl.dll	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f849d07e72b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fd2f87e72b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064a4d88272b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4fa868072b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003994878272b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003994878272b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b08e038372b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070def28272b1da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2464	DiagnosticsHub.StandardCollector.Service.exe
2464	DiagnosticsHub.StandardCollector.Service.exe
2464	DiagnosticsHub.StandardCollector.Service.exe
2464	DiagnosticsHub.StandardCollector.Service.exe
2464	DiagnosticsHub.StandardCollector.Service.exe
2464	DiagnosticsHub.StandardCollector.Service.exe
2464	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4716	dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
Token: SeAuditPrivilege	5008	fxssvc.exe
Token: SeRestorePrivilege	3268	TieringEngineService.exe
Token: SeManageVolumePrivilege	3268	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2344	AgentService.exe
Token: SeBackupPrivilege	4332	vssvc.exe
Token: SeRestorePrivilege	4332	vssvc.exe
Token: SeAuditPrivilege	4332	vssvc.exe
Token: SeBackupPrivilege	3452	wbengine.exe
Token: SeRestorePrivilege	3452	wbengine.exe
Token: SeSecurityPrivilege	3452	wbengine.exe
Token: 33	5168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeDebugPrivilege	4936	alg.exe
Token: SeDebugPrivilege	4936	alg.exe
Token: SeDebugPrivilege	4936	alg.exe
Token: SeDebugPrivilege	2464	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5168 wrote to memory of 5592	5168	SearchIndexer.exe	122
PID 5168 wrote to memory of 5592	5168	SearchIndexer.exe	122
PID 5168 wrote to memory of 5696	5168	SearchIndexer.exe	125
PID 5168 wrote to memory of 5696	5168	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe
"C:\Users\Admin\AppData\Local\Temp\dd84a52a0e76ad0a215cf7a4f2286643bb5a84e04ca06c7086159ce246f8cce2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2896

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4880

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3888

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4564

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5168
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4088,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
1⤵
PID:5252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
043b0170729b7ce9f5985411b444f362

SHA1
b767fda610b902c4ac06d0a667e625fe9e0aa70d

SHA256
d6960c3100d2ce1d9cacf05ec982687ab69a9a2bf16213a36d884a57db2e49aa

SHA512
30792c4fa28a273e8df232ae58a482950d87a12b8c57879872a43e0d67b64fb572348d121b9b1671300092367ec7a7fd3e47c081997c401efaf7855c7d19d342

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
3f9b9c4c0db2fd56532e22a3feb34b0b

SHA1
3f9b63f35bfa6a23da8607a12f45fe09ae29259c

SHA256
f226b2b9645ed3ee3d5a29e39ac95f784ef337b51e6e4d0e420eb072f827e6ce

SHA512
3ababa8a303f655a689258008fa607cda03429bbc8360a235054be25960d074b79f04b840f4189a19bf3da26b82fc63e8d18357299b9e8aeabdbef2054122b5a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
dbd592e44be2015faf26a27e3a940ff0

SHA1
73a51fc49eb7741f1f9e446b98fba1ee6bf93672

SHA256
ede4584ab7e436db68b2102ea2093951c897667a67bcfe9776920321655f89d6

SHA512
d0140b61e15b125093512e398afe6ae5e86fb751015939a4bc6c327cf8d0b21064f5f444f763d09abe97bad3b7d6719ce283440b5ffc6a8e64b1c83703a8d300

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fced85c29ab8ba5730432b1f9f63370d

SHA1
710be9c629742af1bb8615bb30a893cc0abb6f05

SHA256
b139827b8539a8cc5d88e653c37fc210a25a09729905e3bbac40b4862be7ecb4

SHA512
53afad951b142be3b90682933041c26311512c806b354ddb6fed4808926468c42f719dae817471fd710fe601fa55756b5b396324eb4987e9242d330db25fbbec

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ad2ea53a7fbf5e92eae64c5e2efdfd66

SHA1
0c1702b3aa7be687dd62859e808be32a2091421e

SHA256
3cdea0c0f5bbcd1f7a12f775efd95ff0599f34561b5bea25b80aadc5c03280da

SHA512
5b41b99566ecea8af53256bfe74bb2119243e1b9870bb352b9b6121b6fe5b4bba38a9a9be80db9df776886f96c14edee5fc232afbf5a30c9f3f0c2d3e3f67b68

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
005f6a506ba23ef505241cef935d0fa3

SHA1
3aa41bf5d098ef007731daebef0b241b917ac972

SHA256
d46c95a1b3ef0b0ddfeac982bfdd2b723eeae7df092106fc9aa3e77570275894

SHA512
85f5516b9aa4cfff41a13f1d552610eec763d6353b3aba3d6fecf7badea1e69ef0bc814799e6e29b301ff84173a86cbc2f97b0f2a625513c02e1ecf38ae6abfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
da6696c7f39fd7e86c79301f88078342

SHA1
c34b0f404f814c4533c2e466985b357ba2b48547

SHA256
0e8bd76d1f69d73eacc0ec9fd6407e18b6c6463543632282dedae78a5fbc0264

SHA512
3c2b744346a5415091a56de269abbbdf73c7d9e37b2a7606f8f813065eeb321991153192df76a44da85bfcf24cc7f852b3fd7e9537909234cf6f2a2d845ef8d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b4a908660b092575cea8b7c6c2bbc399

SHA1
aa646031635a324a92b2baaac21e47f50d32acb9

SHA256
996407823e4ce0c303b74604e2f6d2deccb7a3c9043aba86db6e424f5fc2527f

SHA512
f4e6aea7bd6cd8e05f3259f1ececec48ded5304e582044c4b74af43df8595925245fae566354787c66ce46ece992445c5a09927f0bb4778411e8a4c7174fefd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
ef1059eaed7735a40b3d8860fa93abfd

SHA1
fac1c7bc7bf4a8be0f3fd7de6707c1c7bf78f40c

SHA256
0a4379b01b77f5d688d2834101ca70db19dcec98afc0aa72de9b3469491c732d

SHA512
4e302e75db89acbc95ae6da78376605962e4fabc660852d594550e59731a66a647db3ca0fa5423abe0ddcadf9e0c2097e2b5d44bf9def4009c68efac64ec801a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2b39b567713c5527a1b67dd07fe3d22c

SHA1
94a3042fe120f2ab6a9e8fb56f9c8dcb19fb9893

SHA256
01bf348741d2b1e2b8fd1ddc6009a2e76d38bbc114455a81e06a4b4da4304b97

SHA512
1e8f2aab28bcbe17ac7407b38bdaa3cdea7593f5bce7a3a99d840fa933055ebc5daf6c27a31c87607ae2e0bb99ffb9a1ea2ff4bb7770af154ec2d09d25641651

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
234c70579137d964d51c9202e262bde9

SHA1
d74275924f1209c482e4c53ca74709d537036f5a

SHA256
245c3270be90ddcb255ee72f15d56408ee4a23cc5d1c63eae4d951ee9828679a

SHA512
3f799e20c03bec6c597debbf9d1471bf640cd410aac979244ceef94d092fd4176dd1bc53c59c853aa0b1f3bce899c785180dc9f6638c2ff54e287641d0dcaef6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c8b96e4c3da968d32db8f278dda8c871

SHA1
ba30efad7af08aa19c4b69bef73b5594943e6520

SHA256
c5a6992b6855458ae41c8c706a9d7166ea98b6459dde59af0b13513035042399

SHA512
609791f39d300945be7e6097f961289ab839de7b3d78521dd04948e8b1843db44620feb3555ee543a073cf7e8870ddfd8b3ac54d05c0d449a0cf109f78854629

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
3203c10e0b00e20d4030c3e37155ea95

SHA1
69510158efe750a5f8d6d545149ef806fa059fc1

SHA256
054e7d4577db7bf1038ad4962ed68a9d695985eb55ef36dc02ec0a90fe9cd224

SHA512
7d637ffbeb4a73fef63f0bf3c2f4e7b96e0572e189395e0f81491f65c9afdef910f1aca693c4f957755b917a50ee4a6784290852e1268b229dda8e4ee0915a37

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
29482256b9a4b24e03a19587656d6ff4

SHA1
d62101eb4b6f713bb0d413c25326cc0693b9b2f6

SHA256
43154dedb7ebf4177b8c64f08a78fc2bf95d0bc11a84c2331ccdf1d11c21e460

SHA512
8d5f34637ad5a68307f08b0ebd00c87c1befc1e277d1bed9bc5c2ab1ccdfcecb34b84073e76bc8208c4f964cde334bc047cd702b748382941275a21589d0f9a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c1258ef4540a57e919233ff443214517

SHA1
41144140de62170ea1d65a12772c2b20886de79b

SHA256
34108e568ce1495a74e21f00c764f8bc8361d57899b87f9faaec8badbda9ff1c

SHA512
06097ffc7f95a38f88b0a5916cd8850f42dce96a978be0088ade27668a8ece3021a1c25a82c063069fb692b412bc12b76780cc8103b60a4dd321f6e67d010d27

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
967cf6d826ff0d168171301160d58331

SHA1
95658b7e6b565a6e03b321fcfff04582e13e91e0

SHA256
328ef315f99d66fddcc01a6382373b6ae45a0f53188d338e1ee634103a720ef1

SHA512
9a6430ac352126dcf55f3eafe52554b1885f4c490d38e214f526c750a48c0f5752cb2a2c1f3594cf3ac9ab6b42b6c7b3b4c230b0154e6db1921336648df69c01

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
35684ab244faf3a9eacae65b16df3945

SHA1
a655a3221051002a4cec0ff23279b93da3c544b2

SHA256
6682e33ea9831ec5756a80aa132061bfc6eecd5b051fb949ec8a81ef2e6e6ca1

SHA512
47fa341209597f835793ce6b8a8796968a9c2496fe3d07ff8bdad6573f06225065ae69092854119f81add097663cb8d2d3bfeddc25c7390b955568412e713e6c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
eee7bc0ab09dd043fb542e5fa3a396dd

SHA1
cf69828225fa3e195bf90d0af76980a849d55a77

SHA256
97f6c98b6b691aafd4451798706c099c623bcc0f41390239d0f9bafe2634abba

SHA512
d89b781da2a7511cfba5aa7cfd0e632206ff5ea694fd0fb2b70d8d9fff5260757a9a8e2f20fda83318954d4acf02c326b25a52435d40bef72edd0eb556dd1618

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
02aa7fd15693fff4318d703f7f3421d5

SHA1
f948f1d6732ad84a7c6da55b4a101473d99f7b74

SHA256
cf2fc3ff56042f8457266f22fe21aba2a1eb934ea81286a948b3290174c4ae53

SHA512
997d51e75d87a622b98eb154d851aa06debd5698e5d33e27e6c434eeb695106310e43eff8e843d4cc555e2f9f18e201c8ebb40fd28b1fac7e4cc4ec4f6c8a324

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8b62453c0ed0b23a20cc7426a1541e3a

SHA1
9b9cceb40f6ee7aa4c139f5216355af0fecd7811

SHA256
9588df12580838fa88300be39bb411085964589ceac273b0a4db4e3dcf289cda

SHA512
d5d49cbe632140c37f85cd9186c2134be334e0702adb29da3a4b9200e12b21790a65c3eec932ee2ca6dea71f07ffa3b20a7c982907025cf6770e436f4a3c06f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
17debe4f9398ace38590579d86210702

SHA1
d25e954c68bf6dea85624be03bb67e46db9b07c7

SHA256
26851f47f50857a4a6f23b939cf7b3fdc81154da74040b3074ea9b291f75407f

SHA512
e89557d7cdf2a2429312adfaa3c8fadcdb4990b96b2958ed91ede4b7e6948011544e59478d3081939c0611bfda81d10a544316c3173921c2a04d03dea1c6e4c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
ae0fe0898c58ac727f4fa368ce0db48a

SHA1
b29afa704e52aafde03347a37647105aef6be074

SHA256
981622d464a660f727d202f252efd1f8e26cfa18dadb7ff43b9b4ec7d0b89800

SHA512
27cfe5091bb17eb2854a2ba382024948dcfb704336ac0cf8ccfb3feeeb8143a51f0f03b87c1f7d683300715588bb75d77106cb475cd35f802356410c169738b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
6bc5f9381d59ff73d96b8bb5796ddae4

SHA1
c8993c2c48f8c564ce1b35d5ac086a13f641fd03

SHA256
823e3745dd3ed473d2bd85fb0e0290ce5ad7131b68955ebebacef888c71c0259

SHA512
17c32c05f21a15fb74f6458d1ec19146c996508db0d602da10eb18fa44d4d45fa70d3bf38fb5e8242076dca430cb25620f25bfde362e8b74e76912e08631e441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b560ec73d446c7fbd5a07b6cad41cf87

SHA1
91cc331077c669ff7108e4e52d767c0a9ee3b26f

SHA256
411f869494f165cfcc2aa6726aa0d44e5f13ae43b45e95d8e69cb4367c4a864a

SHA512
73c3c6efd9b7b4ae13e552245416d995a3f79a06b803b627e5f3450eab540894cff55984f9346d1c661367b054c3ebe6dc329ac54d337c37dbcfcff4253f7ced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
ead94f6dcb56931886d6af411410f837

SHA1
a1a9824f2c787cec84b0c62f9fb8b8825c0ee280

SHA256
17c0768474061379a036194bb20243d62994b12c7971fa4696cbab2dce8f3871

SHA512
0cb24102be40a4d5d2921a30aeb09a49de0c201b45d9254c25a880c1c4ec42e72cb38ae8018d09dff37f6317530d3c3e489ff0a3c654d2bf01aee385abbde115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
da4054e4aed36e576398fe8c1420673c

SHA1
1fba08fc16b1f55a6af940f0d18eeebecca4cb50

SHA256
66d724416e472b3064af805aaf802fbd14875a47145277fe2afb6f9ec75e3e3e

SHA512
ffa0b7205c487acc2aa8994e6172635535ca835071952566f53ab8797ca9c097103465d244f9f1e04a3a295710980ef46c981ab14a05bbd0bfe990eb30376521

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
7e67f250bc984ffdda20db4ed4af8bdd

SHA1
74bc16be6a0d019b7ae00ee1af08ff58a69cb882

SHA256
0c3da999967f30f863640d1a675140477f0881bb9b6c58c5bb1c1e7bf606cfcf

SHA512
57072607301670344775e4a80f1fc81e62e1f7b2bf0b3d530df31d1af589bf89b5b074fdbd29460630f33b9f38b6071e23e5c3019a0999f87e7571780a915cc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
10f885cb0a94c74ed3462aff87aca923

SHA1
52ff6c70467258ba7ce4593f444a9939a93bb1e2

SHA256
485321e6144206559688939f3388af1c61446b8026e0b7258b296792498e9056

SHA512
a24721f11a248bfc57ad489cccfad26ae748046aa2bbe6ec774c7df7998cce2725dc1ae938dcd71377d8bb35a36342e6448e092b1d74fb81ba82b14adc40556f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
22ddc810b95b0fd2f8b77cf747da5370

SHA1
cf5c9eb67d98b1fae145a90abf6cbf24438b33d9

SHA256
7d33676650f4be2d696730537bb1cd9f58cf72b2dfbed4081da1b81089929c7b

SHA512
1f0d68e91640ffd05ff6b88438948e1787bf5360242d6c872538cfb642b5a16b1b3168cc9c8220ce59895b628c6ff155284f416b48426507faed33299c3c7b6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
8fc936de75ab2fe12ef16237009a2797

SHA1
939e6f5fb9ffa3c944ad7b8085edb81856da75ea

SHA256
83ab6be5e34251fcdf9c7814fe2fbc5f61a3ea70e06259a8b2c7bb4454762fef

SHA512
f37499e6c85141d517a144b39c51f09fd5decd5172c8f42ab8484099786cac20588714a7283d983fc0e25222513500a3f2d7db4536ee58b3a88f0600aed2cf60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
1749377d44d96f5b9596b2896c888de0

SHA1
1de0ae47777152490b94e55d28e4b599bb4b34ec

SHA256
06b3b65ce3636a9ccdecbd8c158d7f560df5476f8f1a2a632428d326d1248527

SHA512
543c007464342f883d9707a72f05ce22a0de933df8834870ef7a9f104c5415c58267f2b66d6690bb2ac2494ccf4e648d25127a37cb314ff8cdc8a796d79ac741

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
201d2bbb1ac21404b46ebf1d8737b7af

SHA1
0caa1db511da7c38e92b22943c83a1d46df2784f

SHA256
18d9d875034a352ff45ea7331ed5ed0c50e60bd8b2da484e4c4f4ab4a8708757

SHA512
e4020b6f9ad09fed8c1fe296b331410c798e8c07d0782419d1477301988bd89d54bd8f63c1d2539ec4b39bc5c10f459a15a43e629a25deb38d00bc9a197da32c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
8279b180d4559a1d9da5463916ff0d7d

SHA1
640ba2b23692af895f16f6f33d09993e052a40a5

SHA256
e70e4c81f7d983fabfceb55cf286bfedf7d1b1cf6e109c049fba1b6a8f63ccb1

SHA512
01ac68cf4cd70a3a2146ded098391d5c7f13d20540128dc593b6db6389984c54cbfe2d0b96e6ebdae697286d3e09d8af075c3d248c9c8f3e12cbe631dbfce828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
93e043f7320068abf303aae23c3d8a7d

SHA1
9e923582647ac5b518d53ec5c3d26008366d854d

SHA256
d65b68a446882dc7cab847202dc0f513cacec12041afcdf5e2fc8e2df2898c35

SHA512
7a6054d3552634b781123344211592449300f98f9401cfed7b8e415d3620605fe9fa8df4832b0407d8a2248e7f4fa42b75791ee30d8f21807974d834bda884ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
c9e9c45940c1ebaeb051a6ef7136f66d

SHA1
40da476c7e33af095c8817c9499c4701c35c402c

SHA256
eedc95f34d35970c12f17bb11d1ef2403889a53583856ca843e26b192b201f65

SHA512
5834417f73b2809c8570051a3787a211753f781c7cf7b89f3edccdd20cf7dff4d2f63ccf3feabdf2076dfa51b77d29eb689199852e8787cfffde790b508b35b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
79a14cd92a4d92bdd6632fd0d1dbabdd

SHA1
ec521703a379de2ab9dfa7790be1e0e5ddc7792e

SHA256
6a7ceadcff7124ef82a6feb5525ec736caffc024201f80877b76e46d7f871c7d

SHA512
2e7a0616344107d2de3c7233a1b89e42f7211454c3e43ff2bd0588acf8d41b30bf8d112a2488bd3bc43032fd5982975a1d384e38b65d0e19fa938683af5a99b4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f4120187bd6aaeed8611447438669d9d

SHA1
7764b0923af969ceb0b0468efa4d30a491fdf7f8

SHA256
76367bdae9c7f77137523a4353c2eb242799176e1c821c4555faf661e9cc4811

SHA512
6ea705dc64880da01110bcafc8a18b2e65f559f89c3d8be69610caadfa9e76e000495c949733d67a0f5355e77e8aef4bc27ec8e1819e68d71142dd607418e000

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6a94cb6c0c2c0b3f1053ab6371d99f18

SHA1
ec9e4a16c26ca4a56d8e64875b2fc03bc91b385b

SHA256
c9b280341d545e2082485923b50698c4b6ab7f4c68775528c6d6a62b0b51fecb

SHA512
4a6f74ce08e585a362a6967957104eece6b84e1830df22599acf1fe1587ffce5482cf3f51998d823bb0a2600e86dc1ebd1b71d10f2ae0547236a76b727353218

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5789a2e49e060af8ebd67b657d817b2e

SHA1
b9994f30b61ff44ce84e18c55fca48322d279782

SHA256
f13925f8eeea9dd552a1deed459bdddcd73e7f6bf9908e82d99acc7c6223a667

SHA512
f08352d0acc3a521a2c893655efe1335b3ab9d7bcdfa84d8ab06f082a18fec852fc716a58f980b910ff11c5c01cc29e2d02b85ac861a0a5bfc91ca2fd06e4bc8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
85080185e7f760104436f24f59101139

SHA1
32ba6dcf7b978f44fe20c8d71083b81d927beb4c

SHA256
8a4c77a309f51765ba092eb2f02809d37d8780675e5f5b66a6870a557f993867

SHA512
b360bcaf3e452b279633d3697e9781d734525d1215fb9db99950824f3befcb4304b4e774f4f4138480e8af0c7b966cb5a114ba5abe9f8e56bf5686003734fc64

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d84da0b85b2f61bf1a5ff4707175c6fc

SHA1
398d6c7ca7ca1068a7be49010b4aa919abb6e5ca

SHA256
ee1fbb6c2b0904f77e96038c9d368c95fac59a2a9ee789022b0ea65a789a50a0

SHA512
cae458434e04cb001fbd444a84f2f26a82a8bb20ed00e97885cf06c92a36bf86729ce963889d254a0fd1e0730ac201a60f0d16e501c1cbc3604a7da13cd64560

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1508ced2e9756b478ef5689a7fc09656

SHA1
df35d9d224b7622efdffbe0b428840f69d1ce81b

SHA256
38911e5c9cd5961023d99ea0a420745a4f9e908c29b3903c2ced9aa9335af886

SHA512
d4a1f36d35c1c9c612ab1542bdeea1b3f9fc1d1afa5826deaf96eb526d5694bc8b00ca4864206b3c91af74a7e24c4715f9f78a8ab1a2d84c7b89fbc8d4e5519e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a967958ce8736b8b1972fcf8fbab5351

SHA1
a9460450a5e12e69ac4bafe615dcd4fbe0a74509

SHA256
8d8d3cc48ecffbd471a5ebbd27e581a33b1671fd2abcbdfd24d192cf373addb1

SHA512
ad337d0bec7bb4a4031e19a44b2b35ead1144d3b2fb3b266a4c8e5759c6f1774e97376df6aa7814b9a75398d20f8ce5123556b06d7a4a42a9d5b203c8b07977c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b883a3256a2552401b0de23ee7edeb64

SHA1
8eac5916f8fce04e3844d9fa2ebb7044a91f2337

SHA256
265d85149c9f0106453fa88f08a5f514929e625a7abf67b27663a1b1eb554437

SHA512
bc872da78cefcc9326264bf4754c487e30519ae3a2ed3cecf541ccce6cf2fb34b13df5ffc369ee5dec1047ebf7952d31842cca3f77e358f3bf9fd94d279123c3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
7671c8ab470ddc8eb1f294bdce04924f

SHA1
867fb43ca23709c5b939bff69b543c757bdb279f

SHA256
141d72eafb6ef17924588783f34a6b83939bd7b87a9921beac79ef20d4740eae

SHA512
b0a7f2a9f31a163e9aecad3119f05a72e6ed8a54250c822404f1c062a23608d78251855c612f0a4203c6225458e4dd2562786d9992197316be9874f391952f62

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
edf13e000ad9f2813f98619ba3b5eff1

SHA1
8faffe8b8bce3dad303ac481c14c270936e89266

SHA256
0fbfd567d4aa9c5d90f542caaa4d21a139282ce08ce72fb7f5873f275baa8918

SHA512
1fe6b8ce59240053a4ccdcef3038f8e1fa5e2f04d6d6c03a2ab53d5111825e89d94d4d4d9e5186606ebd23294c69bf687eeba9aa15c896b557e1d725f541fe51

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ac5696982bb290892dd00793e127560c

SHA1
7291b4d72d827c90ffee1c7c4333636d8b749b29

SHA256
3aa082bdf8d8918aa3e87381ed8668d1abe560ef9a8d07096bad319d51c72091

SHA512
e3aed5b5e9d7efcc8cccf7bf5d5446492e50948e8e6e68e675dcf8c854a2ec391d0fe3323a2852d521a9c0842392fd082de7a702f1518a001fb29dde72152d19

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
efc18439e8b228145b35458c2a1f0225

SHA1
2cabb12857def12edc9f0c3dc871531fdb05a767

SHA256
421c180b2df20a022979b532cf0999e789c4b2dada1fc48ebbfc8a0c8058d773

SHA512
21884fef9727d07cbba1bc1592d388156c4410b7555f16c89ce3811204826686170c0a264bcd180b4aa2e0b781ba0c16d231e3f77aecd98951d51153320b123e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d0bd0abc46554360a86cf6a3a800cab2

SHA1
561b3a30db354c9bf2e972ffc2c6c98844dfd9f1

SHA256
818eb7fc24108ce4b63431e1157be4bebf41dfe4f239abba864023934305cc0b

SHA512
6eeda473a2afcdaf098e4a5b2987d61150c71a6ca0153bc13aab5b712baae896e9d0ef4fc598d90a023cb4e6a841bffe63e559d5227dc6564c94d41b9b1f0a40

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9316c6926f2e1ed936785e61c11fa6f3

SHA1
86572615c075c6196bbc2f03765244cbf67c0bc4

SHA256
be73d863154989030829d52ec8a514142dcd38646ae37bd624f701692efca009

SHA512
5f6872211060eab5e9384210f2995b6b150e5f6c3faefb35f6a7782c84c9be334655d2550f2b87ea58b1f389a1a6ed3942575463593eb96f9a4d09ebc99b2041

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9a4f83175f58547531ae201f67908ac6

SHA1
a9259b83162bc4718e2a2108e79c4187f4ae51a6

SHA256
61936fd7c0b2e003d341679c996cdf204ef5f1de1a80e18361ec45be99081018

SHA512
2e0a02baddb31221d1458a8fafe1bb312690ead6a985c3f3e9115a1b439048d0af0e4c22299d9dd3e20f6a36292cc912a0abcf78c6ef029b6bc02da7fa46969c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
342d0b1831be8661ddf3ebb4938a6482

SHA1
adf177d4e83a7f538d46f33d0e4c6ccc5a07a384

SHA256
97f63cbfc507a2382857a6824b77797a6ba6f8fbe26a74f94b21fc092638da54

SHA512
cdb267a1a6f44bab23826f8a11d0ae957cfd775892f350c3fdb70b0b8929e421bc4b913074d02edb0d5dad005751b8198c02bc50718e79ab2b4d270f3522b07f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6e36ea5ef7b64ec09355f279fd91b072

SHA1
530b2711d8930c8eb9d89700b2a9a9b0d5a59e35

SHA256
732025e7d5412eae32eba88bd2b3d51d16dfac87925ecc37a2d8c10ea8367e34

SHA512
89d68be6998665aa03ae8fb60ca6a87f61ff884160b99e885074aea1e362687d68498436273b7f5a97eb244ae7982cdbd9965c51e5a3b120cb4133fa420618f5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d7b4bb8cf6a8955974cb246608409abc

SHA1
068d373b6c966744ad61dc76d7b8fcbb41a87ee2

SHA256
d80c4377588b8165a329ea9ddc56121bde847439e473a02e227828f05ed8f74d

SHA512
7975fae3fb72340709a83e00abe389cb9c3d1a1376761c4ef8bf5e6e0ecd5384a114712eb5e793a1cb9dbfef8b3f03f1cef0dd44598fc70e6978fa9307f08404

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e455ef8048ef850301f1e851e09f5d3b

SHA1
71e827c9d9c8a956591dc5fc0dbe4ab28ed0425e

SHA256
23ab00102c41e331bee10080692294dfbb4533eb0af40a7f56b67503f2d639e4

SHA512
5a47ce35fb68fe339541da0dc713f2d37f272a1b0dc81746d6e2332228223b084075d8c63e0a8c251fc627e2a5f0fd99726690ea1b277c017fe3498c21c50e57

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b8d9b725d83c744f7c062c1712d3f09b

SHA1
07fc0fe3d75564c21e69ef3d73959f8dad3afe41

SHA256
c31664cad9fe13f3560c00207272ef1b251ad1f2d46b33679964e6f62b9e5b02

SHA512
8f4ec079577b5ae1d977b809e50bce2e810c8dddebd28438637e2274b5e9f17f1c4fbc666a4f41dad61e5ba47dfae218a910814a5dbebca9ca4bbcc34eab5003

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fbfeb5c154aedd10adbc4773176ad92c

SHA1
0926094144978a8aa3602bd607db384a7dcfafe0

SHA256
8f0971d575e2ba03d2719f03d0931e82c7c456a99c991c06caaf26197863cc52

SHA512
872c856c11a8711a24a2c3184b366577d7923d24d1a5351562c28a61c34be51973e342345cda237bbddb3f530e3aeeb94b1d28f65dde8757844befae355a5063

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
837a53e4e3583374278e184b25a1f04d

SHA1
bac40d0ff5f24b1d75f6fd2dfc8c3bb098076b6e

SHA256
895ad551e658eae4fec8f267333d8b259c95c4f6621e0c4926cf00d27d8718ea

SHA512
37f3d74ac0e7ea3a390e15756798a3a24e5cbf4537d3f220838984447aaec4486ac2fdbb43cdf940f63d9dbaec472ae46433d5f4b6a82f9a36650e4397f59043

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4152357d2a4e1efbf656690f0aea7472

SHA1
964707bee5b7a05ace54a397073be429c3391763

SHA256
e1f32c5c156ef5c2466d58f40f3e8b5cf84c9d23b831be64deef95547b4ed56f

SHA512
f447ed5ccfbe9c4c51c659eebad9ab8745ecc36437e53e91cba3ff94b1df236cab39759289448eefc2c5092c4c2599aafef62a43f6025edfcceb1c40a671c074

Download Submit
memory/920-151-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/920-140-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/920-147-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/920-141-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/920-153-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1052-733-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1052-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1812-729-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1812-252-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2052-233-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2052-728-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2344-269-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2344-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2388-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2388-119-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2388-125-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2388-117-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2464-100-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2464-203-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2464-94-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2464-93-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2692-736-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2692-340-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2896-129-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2896-245-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2896-137-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2896-135-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2988-194-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2988-339-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3268-730-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3268-265-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3424-727-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3424-221-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3452-315-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3452-735-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3580-182-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3580-314-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3888-671-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3888-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4268-635-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4268-206-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4332-734-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4332-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4716-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4716-170-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4716-478-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4716-2-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4716-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4880-268-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4880-156-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4880-155-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4936-193-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4936-87-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4936-88-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4936-36-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5008-110-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/5008-104-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/5008-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5008-115-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/5008-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5088-299-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5088-179-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5168-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5168-737-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download