8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
Size

625KB
MD5

f20c66d92385a5bbd7f22cd6bf3d86ba
SHA1

081012311e466ce197f245eb41256dfd007cd22e
SHA256

8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd
SHA512

9e4a644138706ef8fd24946f76aa4c79f0b9563b2b3f1d0fec768059e981da56b3bb864e0c8cf9a5a5e35a53d915dc3e29033d0233633a05db584a25f7f8de92
SSDEEP

12288:42t3F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:FtV49pFT0SLTQYWkK2u4dax8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1960	alg.exe
536	DiagnosticsHub.StandardCollector.Service.exe
1080	fxssvc.exe
3236	elevation_service.exe
940	elevation_service.exe
2444	maintenanceservice.exe
3764	msdtc.exe
2420	OSE.EXE
4436	PerceptionSimulationService.exe
3592	perfhost.exe
3788	locator.exe
2032	SensorDataService.exe
4512	snmptrap.exe
4012	spectrum.exe
4920	ssh-agent.exe
1644	TieringEngineService.exe
4324	AgentService.exe
4728	vds.exe
776	vssvc.exe
2384	wbengine.exe
4944	WmiApSrv.exe
1680	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\locator.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4351c4a4293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\System32\vds.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6a53b17f0b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f402e1ef0b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8e2af1df0b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008818461ef0b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1b92f17f0b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
536	DiagnosticsHub.StandardCollector.Service.exe
536	DiagnosticsHub.StandardCollector.Service.exe
536	DiagnosticsHub.StandardCollector.Service.exe
536	DiagnosticsHub.StandardCollector.Service.exe
536	DiagnosticsHub.StandardCollector.Service.exe
536	DiagnosticsHub.StandardCollector.Service.exe
536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4664	8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
Token: SeAuditPrivilege	1080	fxssvc.exe
Token: SeRestorePrivilege	1644	TieringEngineService.exe
Token: SeManageVolumePrivilege	1644	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4324	AgentService.exe
Token: SeBackupPrivilege	776	vssvc.exe
Token: SeRestorePrivilege	776	vssvc.exe
Token: SeAuditPrivilege	776	vssvc.exe
Token: SeBackupPrivilege	2384	wbengine.exe
Token: SeRestorePrivilege	2384	wbengine.exe
Token: SeSecurityPrivilege	2384	wbengine.exe
Token: 33	1680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeDebugPrivilege	1960	alg.exe
Token: SeDebugPrivilege	1960	alg.exe
Token: SeDebugPrivilege	1960	alg.exe
Token: SeDebugPrivilege	536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 852	1680	SearchIndexer.exe	112
PID 1680 wrote to memory of 852	1680	SearchIndexer.exe	112
PID 1680 wrote to memory of 3012	1680	SearchIndexer.exe	115
PID 1680 wrote to memory of 3012	1680	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe
"C:\Users\Admin\AppData\Local\Temp\8b10d9896fb362ee8b65768b37ec9bc970d29471106ec3ebadf32d690189b0cd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1912

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3764

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:852
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8cf765311323fcb87af34f9511d4f155

SHA1
5dceab49609d19b0a58ebb432b2365d69b338b5d

SHA256
cc943f95bdbe1fdb4f28d53962234445c61dac38d1c96079b54d018dfa78d310

SHA512
c0847d6bc0956c303cccc3b43069b189baf5d788c7f66024f21120071d5003b8c10df8c55a5260bfe1e0f67ccdd91b82a7748936e84e0c849921c79df6d0dabb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bf1648c9529325fc13d96965f6c22159

SHA1
d1fb158b8984bda7559e9b17052daba206cd376a

SHA256
c39fa74f3fe6b183245b03589bb8ba4dc4f48c368103992b98f9a4dd3a84de73

SHA512
45a0d67320cec70e3e722c71f83def8859dcc4b7fbdffd99a748e1bd4a3375eec4a122d6175f3e63238c194d773e32c937a1af929f6fbff1041ada29932452a1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3009334c045df97c220ef9489ece8908

SHA1
756fd0bfb87c7934d14fa3faf57bc22e2b77a091

SHA256
2c0e494defbab6ddf7f4fa740ad4dca74a40244f443cde91c94328b2db4bf4fc

SHA512
3224dc3309b1c22a407e41018200a616b784d312a99fee3db3c42755048318dc4160329f76dd6f4a1d6f7571634b26da5bba907a646766338a4c6c404dcc275b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
560feae16e74e8602be86e85697d1270

SHA1
d24d61afa58c0f219f955c7512f952a00c000bb4

SHA256
e51e04893973a1b937f7bed9e62b5342d4bc4c4a6f4ee2b6f3346401aee4ba21

SHA512
451c87817cb30b42c9058adec817f926aa82e1568702e624816205f6403789358f6f71f7cc16871c0ac32bab893d619f5a2322a9c143960ec0a56e5c74b6c0c9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
05559ee6e8ea741cc89167ad44784245

SHA1
8bf3f3d5f9bcc350b52b7a768084f6f010ad7622

SHA256
57fb22c13217c75502ebd20cadf1d2f06b5285afd3cf0798d4e16356673d72ce

SHA512
f865f1ddb9a8ab9662564b0956071cee0409d4fedcbfeb5581055212689f94158e3a3119014527b739e3397c9cc28d71c7b7abebb7d6e5cf3e62004033f8df00

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ca2111c1773a56f929994793b50131ad

SHA1
c76da1f16d282b850f05472f8224f6e236bdc725

SHA256
7e8bc4fdeb92650cc4cf960601d28b1ed1dafb9d17c80d4ee0ba61ccee0376a0

SHA512
33f5a8e469b9ba8e7a7a6e5dcde32b6dc289e839224118866bd37d6474da4e9d8e4fe974afc9146bf720fd3f3f0768c69e1cfd5e7138f803f5bbe815f38bf3f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b5dfe7c8f951b6f828631dbc766f4a90

SHA1
510fe5ae3c7550f1952d130d83cdf729751ef229

SHA256
9605fe7b3bf56c24ef309950d73701378dd0cd618e37626a581ed4343be28398

SHA512
fe1c73f26c801ea0e40e1156759639d863758d17db9842fd534abb127f7c8159f49f64290184e6f204a92be7777db658af2d1a9035c870dc5ca0a4f5b3fc5f41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8eb583b6d77a3c3f81695bae0efd9e2e

SHA1
32f70f30ebbaebd6db099461967a1380b513a766

SHA256
c63c136620004bd174ada6a565d688e9ea93d1bf72c93ed8fe0dddf94c450496

SHA512
8336f268694af6064ec110ae95b9791e510d7aa9f4876203bb90fb6615e03b23f8866fa68e606b991efd85e5c85beaa2f203549857b99af070586e7090894572

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b2e073fcdbaa67965a0f5a69f81d2581

SHA1
88b66cc1d947df6311fb25959e90b491b102223c

SHA256
5f6855055111cb7fbc6d4baa9c760ef6dacae706d49f4855260be97de7a13d5a

SHA512
147c9ef896ee37c9c46c0ebadecc90df25672f889e037dad53d16eb8d2fb72adc1c2657df53ec3aa2c1ef58d4a9ebb6282cfd4bce1e607c20badb5b6ad538ccb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f9a610f11827dfbabf1eebf0f9bcf57d

SHA1
2013e31c8a4eb8d74366e6be413f19e07f755e3a

SHA256
60ecc53a8bb5072e7d4cfbc56dbd76391bd050d1ed1184b7d031f983d7a67fec

SHA512
31bcab697792eafa0e4111093202086d5d79e60c02c056e49d759c922862838cca6f34b24c6bb433a939e632cd53540092d72a7b8c663b46cd01d8a4a0d52a67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4bf78820ce2589db37d4cc5547d8a9ba

SHA1
3557a76016a284a4b4455bbf73489a536ee75126

SHA256
69a91a1ff7556288736a0106cf3470973b25842b060b3563d958a4443e11e6ba

SHA512
5f1719f95e90daef44186b67cb4d300fa0ab85a11f8a0d38998a5dcb7738ddbb614edb22afabe2c08cc05c21fced05e647f4c9a8f7d0a07667f2fc8d8b6519ba

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7a2f88d6d9fffcde48e9218fffb882a1

SHA1
5b70a99e2d267267abe10e30b1745368199e397b

SHA256
c3fd6414623bd53a045f348e028eb01dd3d022c0cae618664693f7166dbda091

SHA512
13b8dd0686405cb20ca47ce961ecba38015602a71530c5dc7f71e6a2a456a11eb712b88a4dc844be066f7d6c5c7666e3ff6276dbe6b3072f9eea920f6ace88da

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
10625d50d9d85205210b618a1a879bc2

SHA1
a781361a56a1e0d37bbef22147fb0b1ffdc53ae3

SHA256
1f0d3b5d939b998f25302b1910048c0a58c33e81031961254a2d6295d0f4f529

SHA512
8517cb0869967785a026f57eda310d27b3fae270a8b91f52a393dcc781c1bfc55f1f0802109e684e06fd381bc6280ee4b3ec2801fc4f6006b6f3d84fa14e1047

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9aeb71d9669ad4d4e7646cb670629a15

SHA1
fcd0605b9ad0f9bc3c2bd9727aa1909e297d3b9c

SHA256
a9e06f3b08df5ac0295d1639c7be9d2474bcaa569470057e1e6df05430b730aa

SHA512
2c9fececfa1e7f78aa2d0867ad82ff23b70976c935f0e92e07cb74ca07c3111c25f22e7eee095ee80934585bceb63d4d39655727a22e8ed83312c50e5d2acd25

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6e5ed5ba7ba3aeb9641284a50dc95137

SHA1
0398c0e73bb18bf81e48f89bc15918991ada9bd2

SHA256
c107937bcde097487933100bb0712e05d1177ca34422209c8f4711947bdf501a

SHA512
aa14cc8f09aea76179e626ec4ab2976eb580e6c7798d02fbee77b3ed1ec052fa1022f8a766d617f0730b87c7d6c234718f7cfadb9910ed7e8cfd6f21661d3e0e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9031241fce4f24d1f9c1d2cd64c10e3d

SHA1
0963474991d936f1f375349179d15c66c0353ba9

SHA256
a38a26d9d092362c715a7498202b2ffb653ed2f50c01ca10051ff5da287778cb

SHA512
85aec30ac0b281abf005a78049f13a4ae6fefba1c641af136d2e7596b567940ee387ab798e64bc06204a3c298c901280472b0b6f2f2521cf6f26d56b582e4d21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a607ef39eb331705e0c133cead46cc11

SHA1
5836dfd14a318812b772f8ac6f3ec601ff830726

SHA256
c9b7f1d5f5e8c161a5184d7f545cb7f77d2ad445bab9bda2862fbe5881d369a5

SHA512
3743d8c715a55ba44d8775ec40148a58aabf1056d324a8d3cbac1f5a2102f4a42ee444fdcf86860a1f42fb86aa931b52d48182b63af15078c7c7a7f46fe5b090

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0884912206f48a51b5f0f51d418a2cee

SHA1
0c4ea15ecaee46d555854119accc2de70c7fc227

SHA256
ecc27a40cf7c9bfd150b6d67d4bdc76d69c5d3f64489ae1121b3b595f52a4d4e

SHA512
6d6594aa4e0f358a3837bb657cf874c47e0d6a43cc39323fb45ddf88e5a1d50e9bfbcceadbb868ccb80b0dde47906d865580bd41abcbc331a8613772a44b4e75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3d7cab5dc847cecaf2b73c1ab3fa1d74

SHA1
3f4fc8a12e4b462c6ad1207e3b6550d13f8284f3

SHA256
7ca5aa1e6925ae3741774a0c129c1fc2ec64df9ae7a226094d5c94fd8d2ec850

SHA512
e614c33274f6968a1ab077aabcdcb2ae9b4e8164095dd4b94a2ac3c40b5a30b8b3a74d3a004b878688e57d85b22690949af7df4ac443a9d4fb44c78f09f01295

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
30d4f5e50416df8fdd35961aea0430c3

SHA1
24fb69ba5b668f05057e7b3e5683f1d8bc532e34

SHA256
c553a095381792d169930be68298a2ea0003d4325f6622dacccae57c85ee8f76

SHA512
ccc8f487a118cdda2f9e1ba8bb9dab15768f9ffae947d6bd11ce63018be153a8117481be0ce6612bfa7a39895449c3a9409ebfca437d0e3e0b5d6f1120c4f5f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
42c2dbbaff7c2039df635901ccabd873

SHA1
cd8e30fd06c591e63c53b0185fad560b24ce080f

SHA256
b6caf1d78172c9cd41b17e57f42e2c4ead5ffb55223e0bb14168f580cd09769f

SHA512
9b9613ff752d3318b96ad3f938a6d99bb2540785faf8dc0eaecdde20ca9a38a45148e4a118adf741f561d8edbeb14f4ca945e609518e2cb254127c6222a4ed9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
891cf79fe6d787c2dc0114e9adc66a73

SHA1
0062926052b5eadbab8be51baf5be3ce4d19a324

SHA256
9e2187605d5aea4d6d4e6e2db56921a61bb6147112ccd3eb53a4d30a61c1d9d7

SHA512
2fb8862c18652e6ce9362ecc48d2463590ee327039c259d780fc808f43237d2b7619ab06be6502add32b27fcbfcbd6b64d23274789d5cf4cadf6d68af2f88b75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6c817dafeed5d86c84c4cf879963d75c

SHA1
a6b2fc5a2ad9433db11f72776f2981f011f9c0c9

SHA256
a7509e1e33034e501c1510b680ed2214b782a10c35a9d3ce63f327e993395c4a

SHA512
d5b8751e4c9426ea7f8284bc4aa18f9ad06936c4f7251b2c2e96f2444b2e3658e692b0a1b5707b83e701f3e566390162153e867b45f5a69105ec8d104e61c8c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8fe8d2d650ea8cb15a8237b294e0cc84

SHA1
0dd33cfacd507c81e1be348e8be502bb98fbcaf1

SHA256
3607ad4a2854eb1374ef0627dd66cd5ae3d516114b3942d52a46a41e8dc6f575

SHA512
222000d35301c1bf442387ef1859fe21d38d47e15d8cf3c33be0880065f3126b0f9ed1d2fe6fe447fefb9809ac7fedcbdc264c1509d6ce9735e8a114b23a2d44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f7db249aa1306195d7c2f8bbbdefb3a0

SHA1
bb4aff604dabd76602f512b1cd9658bb3e5a6820

SHA256
564426e29aa8967c5d8c5b47df89d044995b5b5cc10d0ea178b3da3f715ce707

SHA512
3879ed6e15811b8e9e3d0d257bf2983c1875380dbb5b0ab02fb89057d77637fe026e25c1664f7558dd7f2302f6802881c23dae320ddadc307c758ba030c44151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
72462bc75203c72dbfb0cdb53c1d0e99

SHA1
eb8de38cbd065a1b1cdce04753c4e1a7622304b1

SHA256
bbb3effb6eab5338cfa560d414d100321fefd4959af4edbb55154e0f939a3312

SHA512
7c0c0328387aae3e0f6d510d5ecaefaa685478bd3457a319d44b03d9dec02f64f0d3a7b2351757bd669cfb0732d6f0041e8effa5335da9a05dc98d7a0dd6bfdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bc034617767bceb4e5c9c721bdda0efa

SHA1
fd4c703caba5dcf7f94d34a461d4c79210a64d7d

SHA256
d3b5ac77e5fa5671da0c44b9b2e827c3d59582539545bcff8f40e7ff3ea9486a

SHA512
674bc00691355d1bc6892b6bc0ce3dfe50f1c67b0b5cfba52b926c2c0248d5e62076839962c8a34714678696c7d704a99bfcc87ac083f7df124dcbf3ead1819d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5bdfd35f9e160abeb3926402512a8109

SHA1
fdd41492c35c22ca6ffb873b151a05d08857e728

SHA256
7feac8fcfa75586d5e22e8a95bfff664077fa4b6960216fc2f967ae3c6c99abf

SHA512
99a85c43d6628fde19411d9e922df79918f9bdcbb2de58441ccded794bc696a174a8d8ea467aa0973ead4d69234cbc8e3d20583a5c48939944695273397f2df5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
43352524b726dd17487d2691dedb989e

SHA1
e524f6294a045ae007f8b5cb178b1170b3649bd6

SHA256
091a576963f8af46461169ec3883696889e1977285c57d8f2c4bdacb3b964a57

SHA512
b9894d66489597473f9de0d7cf08a3c258bbda62aa09aa1b3ba64e59c145d7bebb6a61bbe2daf22d490d73a62a336b3f7380989ead1e0dc1f4589d0339080d90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a30aad1e680b8ebbd8766a69db08fa1f

SHA1
4e161837d8103347d4ec4e85423bfa23bbafac75

SHA256
2bd53b0980ce5249416a5a1ba7f0ed9959b3252d2d89ecae50d6f35060e8494d

SHA512
e53697f5b39eebb342a912c3974313af25542858915b5b3d9533e54d451370218c27359ed0cbd365d6d75ec283973288783a20d5101d3a4600cde3351bfa301c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4b06ff64502cc07eaec555feea0d3e65

SHA1
9cf9a86dc265f2dcd645684d3d1a003d77d13b93

SHA256
33a7641de797e3fc92504b19c79608f737559a7883cfde4174c9cea5a80f0aae

SHA512
6e3e5f1e47d937ada2bd35a9c1856e665dc191d046b1e53916877f20ca363c7fa27da22941938e40bd6a309c0ded6d350c91ec125b25b65ab2a83a2a8f2cd76c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
53ed10e0a734a0104c7fb2a4b5caa08e

SHA1
dd6cc751d14d61d754cf6bd609ab5dd45ecfb996

SHA256
57f7705a843590476ce65c4bed4ad5050a5634d3bf6b901110c61a4eda86c4ec

SHA512
6b3ba363ca9cedfc645921226e68760c0104c859f584e0f74d300a74f2e51bfd51f3e407585421b616ffe96b2c681c1da42e59da3c35c0ce679f5833a1169f57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
febe0a52835045515b93acb0d994346b

SHA1
db4417515c6ebbb47242eda2b17da6a809b167d1

SHA256
fcb9c1ec655e1b330137eb02f917fa75181fae94b0128ca454fa7e8ea04d9a51

SHA512
d4127da92fa0664e3815f2245b70e3cb74d827004310bbd47f8ce2f8e8b1f953dde6c4391268dce0756161e93c675a3e0c1fa9cf2d1d821e5c205a928eb5c3d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
518468fe8363b2c0b8f29707fbeaa573

SHA1
fd4e6f661ee17736c9d46adf51ea6a0234854c26

SHA256
8b993c99ba92b01c97e78132ad8906b3e59995fc78d1d5833e6a268b8c34524a

SHA512
82443eefb1a526c3e07797b93786919c17a59de96e71a8c4a66ec268504ebe594a2ef9a175d9013ba76f4e0ba3016aaa7e5eed252c7471dd914724b5553f1fbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
8c4f8d041e541bea4c6c3793ad4ac576

SHA1
3fb9b4baa021167d55aea20d9b9a287d4225fd08

SHA256
8936fb9c3d349c9fbdf18d5ed78c0f04784747fc8e51a247eae312a2433f8ce9

SHA512
15f6ab1025a3144881db1dedaed9eb88dd455429f8c77c536cd450e97586b90b4f8509f0ee37ba4b2f435a7777100f1a0cd9b4112fd30cab2e51dcb3fa53efd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cb459d36ba83012e381031fdd98dea31

SHA1
81a6859d0d28bcf2faac7777106f5cf98306b066

SHA256
21b9ae683da12b1659f577e2ce5ec3387c98fcbf62408ff0a5ee21ac2bc82c38

SHA512
d2ed97fe45600d6113f169de9337cbdda6d19bdcbfcee7cd1b574325fce2b3935e80be9a0b4d0019587dc468f9ecc9a39448384ccb906649e1c23a7004cb4411

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
552405affaab56026f0a54c06c24a4b6

SHA1
c7371e66d90582d2ef1d148eb0dca5243a831b0b

SHA256
b4a1f6a375ba26b772968b9afcc6b570bc8194a5f6e67c025eaa26d4e69e1c6b

SHA512
302c1e10dc692cf6a8b7ae9d55359bb415c9ed3c1133906996376201ad2464f483330b1df80d31f54f54b4634a8c3c15fca775097883e52da92d5687365a4e16

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
03008c4674038b3075fa36b6376046a3

SHA1
3b2dd8fb0467e9127c2f84cd44686ee3055e82ae

SHA256
b7bb99f5065293be40f35776f6c54ad32f17b8a8418e93871561ff7b2a4029e5

SHA512
bb444091a27fedf24708495d1c4c4870cb91160ce35f33f2caab49e3a091d90e6713f760e212c08c293a0666bb7c2843a8cddd336ee9bbb0124557ac7e1a06ce

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3cd7448cc9a4ddd6d52ec3d7798eecb2

SHA1
180b560f8150bbb35d32c73bb6a532c55760de31

SHA256
c17e744c870ba5a46dcc9ce9c6d4fb2396448987d6315d24c34f4da8a8b9d19b

SHA512
783dfcd4dcfd24a538304ec2fbc3c47e6a71fec8a081d0be6642fd9d2d5f691bcd0303036ea21a3cf4cb36e06c263a297a27285dcdbfe96a8d628ee1ffc492d7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4035d6016a273fce394fa0ad6e5d236c

SHA1
d2b1d86f1f47d82d09f9b51883ccd2621d71450c

SHA256
f47cbc240988a842e89e26f81e62990bf30ed1a22f6d6e44e857336f89bec173

SHA512
3c95f397ce1033340913773bd3c9af5ab651f8953cdf1d256d08e7c0fafeaea74fc989a95d862d4b1678222898afebd68325b17e74646dbc2a243e3793b1a611

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ec358db410874eef10ba33a4b40d1729

SHA1
726185fbb86cb18304045d884ed88c3729cc14b1

SHA256
6c780433e3ef465849c0731d14ede5f105d4505269758fff6252918fb139084a

SHA512
1cf14e8776ba541c1945e02d4aacf45c00380a388bbc408f4e36adbbc65c9b01ef2c51d4fadf3c15f07f0c419ccf36433a53290f8e63860b98701f7e88e4c039

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7bee73695c2bbbdffb47919e348fe9d9

SHA1
975b33662aa0575351f7cde1f7c00389922bf41d

SHA256
fd38191cbe5bc91afa8e933cac9c9c0470ad664038391f1bb25e9d3506003342

SHA512
9d3f3812e1f311eef0d9a0e25d27403650fd6bdef58b1af6aafa915e9ec958d125d62b5c9f6fa2428878e2adfb34300009cfcd3584d62654f3b81602ca1a4851

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
498b0cbeeaab666e7119ef063cdecd60

SHA1
cf51346403d238105d11a1df6891af9742a7d03e

SHA256
daf4f5db8215d9b07f8d02f28befe243c8e44b7aaa30cfaa6519ca2319f424d7

SHA512
b3f0cdd1c4fae5dff21ded2c817a29bce5759b459fa34680ed685f8f6faa0873eb37d13a56349127060343505cb1621693895d8408f133af51dfea697ca8997a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
be324ce67ae95a4a9aa03f846f8db21c

SHA1
4621ec025c1b28d08811dc0f5a6824188bfe8335

SHA256
68cd20fe8a47c39d1438055d39c4db71593ac650e54ee7bda014f502c15968f9

SHA512
0a085b20ae2dfcb8493b3aa1089e81446d90a16e4f21bc7ecbc7c892a8a5305cbc751ce0ae7194ee9f5be53af226d5c58d2fefe60181296a5194c3606106e5c2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f1e53a7225d54a1b3cedde3a55aeaf4e

SHA1
91fe93eafb167727e323e628eab381d5d7a71249

SHA256
b7a5cc3839701fc188fbc57718aabdf505b9d0cf940dda238af82d4208d02895

SHA512
9e402a4e75c113fe339695ab14c90cd050b71342e49bb6ad8e67c672e38dd991be11a235d87fd5c86d5a0c231e9e0d7efb9cfa6aaea5e010ba00717137fca57b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e24c62734e871fb95d519920eb70cc65

SHA1
54a68b4affb516eda368e6c8399ed36782d72390

SHA256
5282d505b9693b2796e3d9d6f54d172bed8e51e5ccb1309aa212ca4206317bdd

SHA512
e31cc6a161c5c956526da24241f6df620b958913c34e3c4231e5d9dfb6cc805fc93455244838ae8f1855858636ff70a57db08d22f3fbbe353760f4660a59001d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e6b80f7c5641452d83e73bb59194c187

SHA1
98f2f4d57d8a388090a8133c5b147ebca2b94469

SHA256
378af5846629d34e673a60b8a804a088c9005724e9400f793a00e5fadb706984

SHA512
4bd4697d6a1624a359e29e953b1407470d961a00e31a3763a23c7503ec9e57ed07c0e6de28baefdcbcb188359375908991984d9f9805cd04aa93b9991d021049

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3ebc30d5edb1691a2fd34f7084e9187a

SHA1
b7e99f7733dcd4e09561a964b72c099a13446751

SHA256
9066b81f1b0960317295ec27953452f15f424075ff2a2eaa2e1b055d633ab2c8

SHA512
9423147c679d2b4a17d745110cc0a981dbf48b87da89fee4686a56ad32e2a6f7778c21bec25c68f8cf2f735e6f556959a76e39d9d5125658cb5963bac9cc8986

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3f5355f814b44263dc47398e0f10004a

SHA1
d3eced1d89ee161d227133eb6ee148fcd3f330a5

SHA256
030946d0dddd64373c24670b5b8bac6924be4238abb9608bbf7c6b20a747b1ad

SHA512
00d1f4bb6eec240dff1d9c24bb3f11aeb8e9fc1c985dccc0fd2f4cbebbb506600a9978348cdcd934fa5c8081f15cb5c5dbd4baabbeb896365d79b8ca29c2941a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dc850a4a305b4a558e3bd6860e65e882

SHA1
1e92fc0cf6ab851f97f52cfbce72f97c40128f4f

SHA256
f4673733c0e3ffb9c0c6ab00eb53ae3ea7f3e50736bbe98e6c414b906c9ff56d

SHA512
7b8944f95dc6d53a9ca3d79f4bc2d7fa25d569631e7a1d93c84fba09198c3872c3d993eeb8e6fc72f3036357bece22679ec5143abbf74e4cea7ff51a4c56c082

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e5b16a8c761a644ce9d4082440210959

SHA1
a9194865c1b711463ec927a37dd8047fc9f62d01

SHA256
e42fb4971ffc286c68605406dd2d7ad1a55e24e5255533f5869deb5ba7986ca1

SHA512
33c013b07859658bb353f9eb4fe0839758c085d67c31a271a44089932bd8d6f92f05b235642b8f28ee06ad53f5ddc7ea76630abd48d2b038d2ab0557ea186206

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
64290993e2d757725192ae671a6fd365

SHA1
8de75d16af2ebc51ea3b1cc01a5882fdc814cbb8

SHA256
cb81c0cb6d98cfd5fdfeff9be726c8cdf67583c8e39ae37eb4965a78e318a037

SHA512
e8258d2ea9a2ccb2060b62213fb9a67de7d1511ef7c5a2c424c3e4c2fbea988ef90aae765949c36190548930c5eef81d84ec09cc39c3b4b6a5fcd651e6e0fabe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
327f1c574b238ef6f8223e6223a3cfe0

SHA1
1229fb94f6f116f68818aeb1c85eadaef7d51adc

SHA256
f6c53a18fa375bc09155839f93572a8246d75f64bce583038bc113671398f02d

SHA512
180a8b93e5f603fffa30304f4331975499c9e3fbddb8cee6b52c46744bddcaa99589eca9972d70953dace3e330797d8aab56f507ec9a35e28503f772b28156cb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8d46d229b5ea49b3940ad2bd5747f319

SHA1
09d8f987c0440f1ea9becd7d934a15e236478d0a

SHA256
82c798cad8521773ced4fbe4539cfe43c9db1b50a4f6849614fd3ef1d41fce41

SHA512
6b9a641219f212da075e52c87320f72745019ff1710e1eaacef1e9e1ebac16283a20b01663074c3180c2b9f1baf5825229e0c7a8db87296161cc38a4d9e9b878

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b274cbf623a90c506a0568fc156f2d92

SHA1
794161abfbaae5a343ff31f1f67b5a213cf0bd54

SHA256
47494266ccda3e6d291cff4d8f5ca7fe06bade11bb519037a23c17f782783292

SHA512
ca09c92af32064b9c57efec7d8ad0661c0b3074265abab89eef47ae687ec5bf9809cfad8b9cf91e8fe25ba535c84b476301d2525a174bbfb02f7bc06fc5e117b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7423753d990663741de6ae22bacbf3fe

SHA1
d3ef76ace9724cb86edc3d59476da966d142a58b

SHA256
56a484b4185d369e674901361b99001a7b4e2c00217e29a4c2427607141d7cef

SHA512
e955ffd03117ec1e9ef90c56d3c456384f27414773d7234408aea21899d2ce5ebcb318c189b80f9d8a441a48c633204cb4f0df41bb1bd6ffcc6b2a4518c63373

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cfb795bff59470d4b243110c7885565d

SHA1
f9cdee7578ce72e65f30507fdbd15e674211cf97

SHA256
a235b52892ecd4ce4f9a5a24a7cdc8b9792bcea957c225847046d813ef9a9180

SHA512
3535d0ff606c2a789ab76a9dbec05f7209de5b27ff9c24b0756e1754260fef14e1e828eac2038572dc0d2e6e2d4afba78ebc766030322768db0208de7937f06e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e453c9145a7a15b7a407746caa3083f7

SHA1
9661301d63bca2a076a07c7fbdfb07672dbe4b92

SHA256
7eb2b3c1906af8ffc3ba6704b0081f940cc7ab145eb13db1f77bf23bef269b93

SHA512
d50c9d6f7fa66e8c1123a74f4c57354dd4a7fc427623eaa815def4487a7baa22f0d087493f59bb1e9d5e966dc607ac920bede704305c7dfd19ac155b020a4cd3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3f46bd5d31568a21a14107db0f7dc7cc

SHA1
ece32302a3bb14aef00029074e89f475db6a3bb6

SHA256
4e547e0dfa0ec33f62db81509fe6c37aa21d89ee76641948f6e3519280f9e75e

SHA512
74598eadcecb01ca0a0f3a708c76e5dc88a181589042b72d7bad32c22459399e39ee2bb1d2b4af4755ef4eda943fac648fd0c49d65a2429bbb1f76415371c031

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
99618da4ae3f95a91638ca2e1d7879d0

SHA1
3654e0eb48d87b7131d29823873a7caaf6d79979

SHA256
eaff4fd2dfdd15139bfd4354394e1a2e6c07c4cf6b993e8efe53cfa73845cd4d

SHA512
da08bf066619dc7a1582cded3b89fc89637345e668157fd78d921b3c6ed554833e5b174d099c637c2c78dad10b260512040f3a9c164df02d505d46c070cc2338

Download Submit
memory/536-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/536-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/536-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/536-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/536-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/776-657-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/776-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/940-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/940-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/940-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/940-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1080-49-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1080-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1080-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1080-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1080-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1644-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1644-525-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1680-663-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1680-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1960-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1960-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1960-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1960-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2032-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-519-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2384-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2384-661-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2420-231-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2420-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2444-84-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2444-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2444-74-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2444-80-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2444-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3236-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3236-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3236-58-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3236-52-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3592-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3592-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3764-208-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3764-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3764-90-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3788-268-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3788-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4012-520-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4012-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4324-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4324-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4436-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4436-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4512-448-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4512-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4664-6-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/4664-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4664-88-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4664-457-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4664-1-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/4728-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4728-656-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4920-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4920-524-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4944-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4944-662-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download