e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
Size

1.1MB
MD5

133dd36fe126e85e80143c3c5bbe97cc
SHA1

d930fff3c1e7542928d9c5d56c4d3a496a8eab7e
SHA256

e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468
SHA512

63bf2d415b7d35ccbe7d687ac790d350d7a0b51cfb1223ea1e5b93e6818e8c366be9575a3b85f9d350488105278a83ee0d79e1c64699e34f58736554d361a055
SSDEEP

24576:hpCDmbANrr5MiwFhDoET9UdCN/j2GLl3iFSE33b9:humbANr92TDoET9/N/j2U4FH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4152	alg.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2952	fxssvc.exe
4404	elevation_service.exe
3956	elevation_service.exe
3028	maintenanceservice.exe
1356	msdtc.exe
4228	OSE.EXE
2436	PerceptionSimulationService.exe
2068	perfhost.exe
3592	locator.exe
4140	SensorDataService.exe
5108	snmptrap.exe
960	spectrum.exe
5012	ssh-agent.exe
1528	TieringEngineService.exe
216	AgentService.exe
3144	vds.exe
4300	vssvc.exe
4868	wbengine.exe
3952	WmiApSrv.exe
4588	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\63e690274a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\System32\vds.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4698fe571b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e29c9ee471b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f8b31e671b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebd73fe671b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a169e9e371b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ca1e7e571b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003643e2e371b5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047078de571b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000711afae371b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
2256	DiagnosticsHub.StandardCollector.Service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4000	e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
Token: SeAuditPrivilege	2952	fxssvc.exe
Token: SeRestorePrivilege	1528	TieringEngineService.exe
Token: SeManageVolumePrivilege	1528	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	216	AgentService.exe
Token: SeBackupPrivilege	4300	vssvc.exe
Token: SeRestorePrivilege	4300	vssvc.exe
Token: SeAuditPrivilege	4300	vssvc.exe
Token: SeBackupPrivilege	4868	wbengine.exe
Token: SeRestorePrivilege	4868	wbengine.exe
Token: SeSecurityPrivilege	4868	wbengine.exe
Token: 33	4588	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4588	SearchIndexer.exe
Token: SeDebugPrivilege	2256	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4404	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 3104	4588	SearchIndexer.exe	114
PID 4588 wrote to memory of 3104	4588	SearchIndexer.exe	114
PID 4588 wrote to memory of 952	4588	SearchIndexer.exe	115
PID 4588 wrote to memory of 952	4588	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe
"C:\Users\Admin\AppData\Local\Temp\e419b0b18c55c173b67521049e500436ac445e8c7128e21409f93aee46c8e468.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:960

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3104
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ac56f6932fd6866e9a06e78435b649a9

SHA1
53496dc88f289a04d3d146d8890fa52980d2e24f

SHA256
5aed9b81956487a5cd0be1b1b017dd9cc3e67989cbea81b0eb252f92ea417c38

SHA512
9cd14fd225d722a267a82277c69d5a30a377df30e33646be342a9f9e483b18e2c70bb1639dbcc41f09850a2e626491fe619a2bbcf7dce91bfe6abce75ccf7745

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a23b1bcf235e931e1afc868b7cdb1f4d

SHA1
175365c88543471e85227646fdcfbb941a772393

SHA256
2c511052306482f49669a2ea0115b724ae49c899d6688875e34ab511cb5d5a8c

SHA512
7ab5cca78a8c35f9c9d44e1ba1f8b59a71ed21c048077649fea1d104ae2a422470a686b98c2ebc561fd7eaf324e232c04eccf1a7cd86af6b32f81e7712d853bd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5aee88925a6629171a05354fdeb5606c

SHA1
ac7f45cfcc66afadfa18a2e5f6b482bd7a80bd30

SHA256
20aa45c2330fc3551ad9d312e4fbf6b1299ae9c21653275fb08bdc2bcfb6b3d8

SHA512
b8ebd8a865ab47b64da20071d938d0f5c4580d7dbb472cd7612630764261aaa66fd1a79e73a4dbf9af9e83cc40c651a87fbd1eb673a8adef3fcb5cd0dd2b54cf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ee8e443afcc57d1d081cd142eef9c375

SHA1
f66858a614fcdb24fd6c1dc25733cc1272257ea5

SHA256
96144ef78f81cd3a7956d2f5405a7bf5cb9acdd1ed1772ccdd035730f34eb5b6

SHA512
3bd7b949c7e20c286274c83b63c8c4d490f2d6bb48d00b4116e5f11e81a86623cdcde457f33661b7f6bff72f3dd631dcd9742111da4cd66b90e58e96a4f1ca55

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
38260ef762c104bd09955fbed575d01d

SHA1
84a53efdeeb27ec9f94d1164526f26f5fc4f919e

SHA256
2c035e5fa348a3510b663e439440362934ffef03000a38fab92aa34e3f5a51cc

SHA512
9595adeb1daa2b4c676c6c93a369c29ee816d83d1ac7221ad6c7569ee4e66003519212661306f1d03c6268c8960d83f6ec4d9b138033827d23f4ad6bd58f1b3b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bb0b2c39540531384956a64be15feec3

SHA1
2a1411d4f1166bc469f59399c8581f3fe79d0216

SHA256
b54af6d9244ada543825f81f1366d7a5175754e62f23e4ea73a29a618294b3ad

SHA512
b39a2ee0b2602cfa577110d32ec00a14947055ac964e8c9cd74578113d96f915ff6df58afaac0069d0dcc846cd08e506f76050d2d0836b57eff12e836c453bb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5be96a1f9108f129f28a8bcd95d4436b

SHA1
fd14738c9745400c7dbb82928c64e1f10777fd98

SHA256
e5a377c74325547e629c89cc28e3cef73f7f846057968e9f9f69dce752d9fd41

SHA512
f073848ada67790a1452853f43bb042d76a297ab794d20822a27161ecf505c299bfc653957665c13acd02234fee3a9a1a581901e224bba190d16010b1eafd3d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cfdc296797cdb159ccf19803feb060bf

SHA1
47ff0b002f55c15b118cf5942a21f8b42419f3ff

SHA256
48b77697462c74cd82312ee5edcb715354e167ccb63b5a06024062ec08c7a38a

SHA512
babf604b8d2d17404547fd9a345d7f4034d1d3d7041f3d90e30ff367cb0edd88b9bf385b7b3ff8bd3d6bfd3b1b2b587f2432dd1b86b232c6da96088ee8fdf31c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a684e3fc768a4403712e460d5c34d685

SHA1
7c6876fc790f414ac98afcf29d3951d88c8333c0

SHA256
675d03a155f49e24885d813d1cd12f7a1e515c14e51920afd853fb6ee0d1a4b2

SHA512
6ba9a944a4f1fa305571d2ace45dd7fe7caa011a0d2ab869938c3f2e215e5e7eb0e0f5f1d1ea7db0ccfe62cac97130aa911c33c9b973be067e97e53e7fd57939

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ce3dfe739e88ec3569205d7979083349

SHA1
93748b433925bad6ada19e5a87a1851d315fa4e9

SHA256
740704038bc8a8c931fde478eb4f6fe005985be94cbaf9e5a95d0b556f51bfa6

SHA512
8a72fa71440a57bd161917bd9740bd7e13e70875581126cf09a7543570c3ce6661bd788bef38c6b579d076527b07f6da8bdb69dbd7f20faa3f1545962708f70e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
128538332d097759a6ddffc54b15f241

SHA1
1c2a9d449ae70687dd8e61edcd5f6eb49dd7a71e

SHA256
2087fa9bcb0b79bdd0a34cdb21dfc1cdf20452b741f87eb1f781526e7f15e6c8

SHA512
578d99bf2c5bfa76993b42bbc0031778a4e4929e1929eb789a3b43fd6347a9a88ca0918e587d4fbb9c72ed324e5064efdef255c18e2d69c0359ec4ee3b6f9be3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
45e8d4664ad98860f963b4c03f038974

SHA1
b17143142149b04f88a398d1c2a094bb945b15f4

SHA256
d59a982c1eca81fc56aba8d74e9fd3b2be19eb61bded4dff1d2fe24e87f33e57

SHA512
05d520a21d23256857c981fb7c4857c8ccbae9ef2cb37c5569d346d643969bc332bf73265eaf7355650497c460b79ad5bdf9881b9ce8ee6f460542688f852288

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
11268a801c7bbfb6f197ac36c8157c8b

SHA1
db8f2eeef40c0824dd58cb74f1fb49eedde3fa49

SHA256
a6e3cc25dc865d3bd7432fea488364b925b4c6c9c7b77cdadb45f54159abf539

SHA512
eaf3c51dc4f412bf287e6fd79680f95fdb737be721e79356d334745b1fceaaff1442b99b0e030783db058a2111ad3954ac0b41db6ac48217b0d41c7abf5345b4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
820330e2ede4234d0236ad397a93e012

SHA1
358417cf5841373c2ef8ae8b1a92e42d539f6a9c

SHA256
378a88d2633115052ff47f9fa5372d4588eda3e753ff5ee74339c8cfb301c5e1

SHA512
d3e40fe6a0a4475ecb3e53219a3dcc74f12fb3941b551672ee75a110fe2b2cdc9e8eb6e4733e36ecd0ed23509cec37cdf0af73e3532ac9a515ed3d19bcd5f19e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b2e9bdd85cfda91ddbc3ef24ce48aa87

SHA1
539b12f71cd37029cb53f0fad38f6f52c764a5e3

SHA256
ef4311c87f8c24af43ee25d21b4620a6266c106ab5088f6a28ba8d3e96ac72a3

SHA512
a96d3e23d0096334e097a28a64aebccca0a567c22a310672be7f84d8bb5be53ee360f4d68380305ba8ff2c02ed4c2d258e87d69438f0ed9af0a446d344a8883a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
11526d4e8eda7a020b9116d8daee2cba

SHA1
218297d607adb8093506d2e87d56064f5f4cef01

SHA256
3a07d93e08833694e4329bec272e1e1a732dbdc819200f8a577057886f8ef2a8

SHA512
464242f98cadf9a086674a12dcf0dfa21688ad2d25b5e4601fb7cd2be7784564903e8d484411e9823cf77cb913f5c3416f6837fafb9c55f91a069457b084f863

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6ed115b5219cf03217f6d831535597f8

SHA1
91838f1828963e887eea8e4d634dfafe4430a375

SHA256
c4e0dfc2a3e0721e4a9b1dec31ded2a37ca1c84138c2e29578847b3ba3184cb4

SHA512
8c6c5662059ad51e0e33f4233baddef96808bc8747885859eeed68923d77922654095b82ab10061ca0d8c1ff913435140db8e84fba4c1153f193e5e1395fe3d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1385b10a378e64b2c5a1d1ee19e1a7b6

SHA1
ea812b9710a17ddedbced4854b68b161fd5c69a2

SHA256
966ed5dd8c1a7ab627d43ebcd0bf946973eb3cfc9f22a2aef4f66307a022202b

SHA512
b3e4e22e921be65d89e15bf33fdb9d8be7008ecf2b49e1edda8f8608ba5337f7187a78237e78433687eb0fa9b9a63871b99cbdf6dc1e4f25e6a9cd1ea3334ca5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
94f9898d8b072cc1d5fbef20f475c950

SHA1
193818bb4d19b34d89d73e07e34a229811257078

SHA256
5a39f49c3c3eb70771334b4a66c51e7a2223e0f4f3412b9861adb8d623a30353

SHA512
6ae86d6e630379238a7708838329ab59be2bf420f0619e0d03866cd3605ed0efef9f3334d56291c86f4e43739664a83574a87a3291992cf7d925f82ed6db73cd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
79f9caa6d4a260242d0fd6a79f6b9b04

SHA1
26c012cf0eac80142266695cf3b73ad242bda26b

SHA256
0a4e19fd759f11570cadf8aa85b10e85e08fdb6f29ea5d514644966961fa1a62

SHA512
d92f0d747e46822fdf1ad8916b6f336d061de679cdcec6624806cd25da9e74680b69be2c28068743a72a91c8f93ae4dfad70e357a20294b21dcc4acae2f12fe9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0c16f87362e74479d781b821f792a696

SHA1
9774a3b4082ea12e131c99dbcac05a3ac37c41da

SHA256
254826dda6090ef14863467cc69d4d5b590b6146a2f8f54c6c727e8a7c4fd2d0

SHA512
d0ee04c7d99d89258fe5be498fc2724b411cd8d82b1fb4557e20a9fbcc36acd589e8212159d686825642a113577815d7f7a2a08c052ce4f7c0b4db1d32944984

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e88180cf7618931fc8abe3f6bea62e35

SHA1
7404363a716c01c440ac57705de24726999b0263

SHA256
4e1546610e5a3c4c64d97f9133fc9157de4e7a7d5e81b7105725580ee99083dc

SHA512
70f369fa8dcd2d54dd7ed5e52e4ce46fb630dc449bc0a984ffead9ea53b541fa18485fc5733054787e91e12a533a445b8fbea7e23e6a6b4bb6fb38bf4dd1d252

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
89b9027e26c52790f61f774d8ac210a4

SHA1
ac4ec29e10db726fbcfe7ba3736a111910897f32

SHA256
1a494ec1df11c5df492d60ba7bd114d137671cc9eceb07600340e10710e27329

SHA512
5c5b03de65277db2ce5d1ffa29f260bc957577a818651e1061edd960b1b0be26e011a4ee5a04bb9fd60b58069539bd5ecf6bfb297d54f7848ffd369291dd2087

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ca8fc05f2d7ff9fd33f44e4b99ef0369

SHA1
2b19fc08b1319edde03f1569bb0cebff5198b1c9

SHA256
b6ebf674b164ad19a401106e244a973e83652e8391d4ced1c06918f6c0e4fb1a

SHA512
cec13f20961b7888d36c430e3712c56d840519ae27c6bdd55e5ce083ed51b787fac5b769ff7834aa67ceefe7876c8f97e0a13e5790ca2b633d289393544b18cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
300f17bc70f5aac5bff23efdb40d657c

SHA1
cc11ae7d9fe462132597f6df58bae668d7d06c1e

SHA256
baf9086ce07aa491d7c521298ede8c16db50eab481a446eda149d38d4e27dd95

SHA512
cecb812638bb4ac0f6941ae22348006e3fc9f9c9212af73abfa474d14707195182c04b14dfec652dab5c78b58332db1682147e4449ec440e3bcd6bf1e76c3d24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a1d86d6229e62df0f77d1abfb1ca1833

SHA1
80c7bb4be774b32e8743b05082d044ca40116096

SHA256
86adb34106be341b4c3e2e4921ae21eb8b2b183ef817d3488be68e8875095d6b

SHA512
71c4afc59028635a1c843dcb2901d689de5c1af4ffaecddfb43cd9bcdf59af469891716ac848f1593774fa4e218f88f4f7033b3f616dbddc136af9ba7f093d3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5dc8875ce994dfdf88fb85f6185cf434

SHA1
dcf9e6443d95d507088069c2ae1459afbdbb37fe

SHA256
0ba143e16b3ea969382d278339d323084ae1cbf6d49bf06cc3731e2558f06d40

SHA512
d3fb7c0fb3953decd1394528514b858f8ed940cf0305a5ef39643e7b5a81111f873c713b0862c1dab7e7cec91e37e791491e5220918381870621a8fb925eb38b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
176164e49f847e744cb1b3a9222d0bfc

SHA1
f1f77a48c33ba8b5a7f5ba0cf97dd554b4e7bdd5

SHA256
bed9916113f0a4ee924e672f3cc71bd35917d74d5c3c44195628e1721e85f61f

SHA512
c22f61aa27d839a162e34beee4caa727d0e028ae519a9c4785347944692945e37c424770e8736574b583e250f4f27a400ef857978518dafe2a8c62e73366891e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0547573879a5e1e1811b62659578339f

SHA1
9f14312a999cfe3aebf73caed2754d1d556520e3

SHA256
b718563b4838e78339bc5d209ea7238cb0ca48f717ead2a7c3c07cacdc2629d2

SHA512
7bc6d0a35d35336f35e849b1286577073f4da902d2e92cb1bbf9dbb91f370f2d843132fca23c00119e513b2b04409ef66ee915367a591dab4cd3976de130d871

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4c6c614742d6c9634aa258096c6e70eb

SHA1
2222d769a03864526fc9cbe8b22fd883dbdbca66

SHA256
a74ad0dcc222e805190a6e52fdcc5f87db06ce62d98ccc930424bcfe42f9be1f

SHA512
c7f3652117217b2d577834abb0180f23528a98f74c3a2270107b6c45d8e5de8224e001ef37c234a91b68bbbf3670048754fb3e0883b06f8627a5fc3c10f83482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
04eacd38594e0d301ef5d34ef0636f40

SHA1
8421275e803d3c968cab851b1a7dcddcfe1bef34

SHA256
cf24ff8dd590474c8272b930d4e053db89042bdd73dde944db78bcb02a1ae69a

SHA512
134ca3a44ec7b9a78f8fe28b8ed51951c2b2d85758a6c2985273d88c2b38b38dc5ab66418c64e068ce612cad7256db7d42eef67035bf3e0f8448354e0b19e6d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b33e3b9f9bddcc78f53867c14a524918

SHA1
bb4033211e1f89054a12bf8acf00a59c0314a6f0

SHA256
90ca0d82180c8b9aad49deb09d752cb73c0696c548d736aafc1ef69681bcc338

SHA512
97a23150b7757e6aaac5de909684ebcc5137e5374d617770317576fee558624992ab3c470ec635ed8af14fd8cfd619ef879dc7951cb3d9fa59756ae6157b0348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
544a794f58a3f25c8baebba436503c12

SHA1
c04a2464d03810fc2fc401aebe07ea1f0ed1dc26

SHA256
90d379f19811d3fcba1fe238ac82893e954f4069a2a64f7bfe9c526e9f9acb0e

SHA512
f1f9df5b67b116c2247386f2eb9091f269c0191c81602f9f67b8e08a067879700fd9cc967aa7bd4ef9f668af98e72a3777b54ea4555f0392c313a3173957cd9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d4f52d9920b6fde2d8cdc8f2a47d3d12

SHA1
a009ebca6699071fc2e3905e3ede71cf1e0ccef1

SHA256
0a16ff6da8d7b4becbe692540a8cfc0ce2314524a98f139a6ba087ac843cc374

SHA512
fac90573f1673b910dc4d71f11fd116d94017bd461d72f1f6d281d610c3d2af9464e0e88d51e6c9b6c13ec7896eaa44478cd8569f3f5abccae0024ca2c0460ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0d0393f80a1ac68c7b92d1a6cb53cacd

SHA1
9e818a158fae3a451b79a71410e11f56e5141ab9

SHA256
43826c4d76427e178c2e0af5ded9c3969b1a535ebd55b43a127530d338cb29c6

SHA512
4aac7d412e4448dc35b72ed3ea97cf7e1445186aa43d4e51bf541683f73645fcff6d2cab90641a2212f44ec4f96ab51d1b7a74b70ae11a532d5a3f4b2b48f9e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3f3909bd1c65c25f981330a514dba696

SHA1
3676706aeea2e46f1d4fcbade4d5dc29162c6879

SHA256
ce8d31cb06483ac6d4eecc6fcacd5895d623afbc621ee01da978e4e1dee71f70

SHA512
5da7a2752ae3bd16145a86d96ff1f201c4a7f92db0fed818cbbec4fb737d6d14f90f547609b973e787859bd8b54ae0d6d0cb427c5e61b843330fee69a83d8438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3b77892b1c22946cd56ae267a064d3c7

SHA1
16ee4604a9c8ac3300ac5335afa69af2bfefaa4f

SHA256
c6d3b9378f134b59d672785c5d6c602acaec51b3003dfa1b812f57ec4014d976

SHA512
4bdf38f7130796a683d0f1bb452198b57b427d19041ced3e50426411687a3e1e2d2ebd14be584dda1df1ef4844adb69629f4bec5d54c17c531c5cb9eadc4b48f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dd0a48ebe36f6c8fee14cceb0ae8d8b2

SHA1
58c7642a64b4bfea9f1b4a903538d5d04148e5f5

SHA256
ee641aed5c24406cdc0c93732f16df6a21380ef1e97ce8ed99c6eb3d654d15be

SHA512
69cacff37d7b3b66f458f1e58c557950f91766224237eb7a8883b9725e27dc19f2960f1e19db80354f5d8ab394ef158234b90ff4655ec425686815967594eafd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
43cc18c947d571957b2d9f52ba334943

SHA1
5cfed72ae432643a30e6e7ab982a477de1ed3e8e

SHA256
4c42db3c3bbbd76f8493812311a7844b0c0032ccf818088fecfa3722ae5627be

SHA512
391ef91cef203dee05cf761406f9dac5b09178c54d2a46a3beaa64804a1ca03f9bd1228783c73cdce26e0ab012713f07d633e8d6fa5d446fc87406b05e7f51b0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
aa8803af13eda947d1aa3ebd08734aff

SHA1
a916de52631cc354b0a79bce55146d2560f62c1f

SHA256
6ee3817c37f82d00edb581a64e10ebfdacae2f526e79870419fcfc80c6585210

SHA512
1f7c7ed674e56554acf2af5c1be263ad890c33cb7fccb14936501fb15c2f7caa42f6b8a13729b482234a0dcc61da1ec5034950fb944a89b82bb8b99fd5db324c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3de9e712482bee755e4e38667a97e562

SHA1
31356e55732b62299fc92896f8679cfb9fc0d868

SHA256
d5c0c76ec2c9e5f8a00a1ae8f310df075fb9880ec257c74075a10c639ebe1815

SHA512
987fc2e75c46a443d1ad5d89b75d4bcd5b45a614a730dd3d91911e059cd2c468804651ef16bed460acd3f4b20fe3f4da18400eff5a7d5d97a2cd25cba7dd3f84

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
16992cda9eeee6740c6c78a2fe24484e

SHA1
2f4811811cef01ca582ceff147e9a7d6ac08930c

SHA256
cca828bbe232062c775056ada25c258749c2abae983af7fcf78af8dfc83c21ed

SHA512
ac39f5e29208406b876f4a67f9feab9f04ee112f483131aac630f404b28f05ed8c7b6ad4bff5a87b5a18b17ed4943c9bb5c6d1fba8e53da9b7c0510f071b16ca

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f954f37620714f73db22882003866227

SHA1
9135eef4f0bdc1377e75cb52d20484d01e6f02e4

SHA256
2758819157f9b58bfc55e21e630df5d9ced45f9afda1e14af03d80ef5fec5860

SHA512
8c1fa97e7449bb492a906262aad10ec0782e0c381bddeef1c816c29638a569ea4d0efe7b4488af13c26fc7b461be423ad17c3a505d8f8352875e16bf1db6378e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8f4d34855cfe9f5a67459551d98f8597

SHA1
3dcc9c8b204e237c519ebdd21b81998dc65d938d

SHA256
a10a0897e681a86716c2a6d7e2e09770f3e37e7b8d18b56c29e1dd3f624db4b8

SHA512
5b94d6c536641fd55250b3a1623e873cbaaf575f9c01a70979e1c0224749e2fc93b183f6a9427aa4c9fc76324aa46a166f9988ffe42684c6cbc7811f7403d51f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a6e1a2578a22347ce44a4fb71772f570

SHA1
dbfe86584e815264d576dd89e4e0b353d598a9f1

SHA256
0bce3d0865b34b0b644e1338a4cd23dcdc612fdbd525d0c0183f9edbba63762d

SHA512
5d95a88dafbe02b4931a6f2e21208a9b55465439bcef6e024765c9f7baeb305517025854e0d6c857bdc1b2ddc902714ca90cea7719e307955c2046685c22662b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ac18f090fe58c19e70abdad8151ebeee

SHA1
3fdf18a1cc9582faa4a0617cd2e0abf4ce77084a

SHA256
12ce3e618fe9896f7e3e0c93a1fdee1a52e0afebd42d30fb54fa83353c42add2

SHA512
166b774ce6830ae14c91c292087c5ff202511d0fb4a3cd46f4131783be70fa67309db88a5e45522dac186bc6785b03467cab342225314f2a3468f1b0b74e8847

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2e6690c9563b2b25f9180938cab22670

SHA1
092b92ee596d9f96ca75123bfc7308dc1cd5019a

SHA256
14a41c06c3989a7754da76f64b8fbb2f2bf9dec112a4a3bcd11ab4c6feaa2ece

SHA512
e98e07b6820b2c96e9b0ff5a63c2ba8cdc0651afae977b57b1f4cce99ec3a4526b94ffec1b1df12948d3d26ecaaf889a20d5946726e3b42d0ff68d54ca13b792

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
84e52ada8a3025a525dedfa04626e185

SHA1
6b1e4a870fdac6512d56aa1a9e99c8e466825eec

SHA256
ddb697279d8f1fd7e7e0d42e44e0969feac24bce0cefb96308c7e7a5b4098a29

SHA512
2a4f1001570f0b3480ab6a4c9dab3734add0b193fe11f35a36283d6f210561aba79dbbc8b09660995887ca0d6d77244530a0fdfd68af8844e0a7dd81cb5cf56e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f4e9a23880cc94d1116a915f22adc6b9

SHA1
cbcff6d078ed4ba4cdad66560788a20823acd437

SHA256
089bc161d50c62099eb2db10d5812b41fcc94c0822f808a3da18d3e468cdcb74

SHA512
c18b0aca13076b8dac78e3a49d56a20cfaac3201ed63157815c401a8365b75f0cb85d063a64da4ae1c870369c96ceda0dac6c5d5c5a33640286dd33b80308549

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d9049387589e8360df374daf18f7b811

SHA1
e24a04845e54fa67d08a04668db6105d0ea4a11a

SHA256
7de6824942e7defbd9fd606bd57751ee6d142eaebb499a94c822ec531a22a4ce

SHA512
84e753aed3d2e84603dca982e3dd57c60125e07ae0e9b27b406bd7a76e0b4d5fe67788a1f77f4758340bae73bc00f146b05eb9c4e7c55a7be5c83b9f2479cf37

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
50653865e1cae284dcb0db33d5c7d432

SHA1
a5a1df120609efb02051006478a5d4f23daa9465

SHA256
2fff9a3d7626238645ff39547f7c61b736d0e1d164f2333459f0dbb524dd626b

SHA512
21b849c53224420f33810b1f4fac8e3b3cd18d78a123c74451173a5c5e41638bb8f271dc9667ffa9a65e6238ad258ca15c62a9073d2be3091cad2efe729b4eea

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
19274d3bade655575c062eb72d39a8a4

SHA1
92b71fae7a39cd17c578147711c892bdade77696

SHA256
f76b38e3f055579bf538758524c70c48153848ff91666cc5945f416069506639

SHA512
7d3ea6117fd051bfe6083b45a03583128c578139aad907cd9f54bee1723671441fe0e8cb8d934ded6faf960d0d7b422c456e078bcc2de762b863deefbef751de

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0b35a1b03fb35630dbb86070c4d685f6

SHA1
2ee75b463855ec2ae8567c359c97679e3da947bb

SHA256
5370672f2ad57df3698117cbb2ad4f4fdc86018c3d3294e6a0a95c72806bc53f

SHA512
0db052e680961c108bb2ab9cbda5dcc8b086786ea0970912656d5082d046a6f25634c2b931c8ec723ca77099adf14274dcd394e436e6f4a92a2df11e8594073c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f0cdda543531e561ba4294535e244b41

SHA1
6effa066272474f3012c66f3e99457b0c8b4bbf6

SHA256
c061b5117d2178cd2f6307ce8a8bf41266e52c46e4c32630b9484c855540e480

SHA512
7d634f3ee32755faf8f909068b04dfb7b98656273bbd7826161b7d2b07fdb91c1ad366fa4435605dd896213e160fb5c93d0abdae92c6890e4800071ac40465f4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c540b586869abbe193be18b79d3edceb

SHA1
4693f3478362983037e187b13989b5a470df8400

SHA256
8b28c558065ee6c3269332604b44668e13cda12b3f88e25517d4f89a4e57e233

SHA512
5e6c8669f8a17be5caaa47c4b51d661071442cd750d11ef9ad73a787119a125eab2e34138680a5265d9850df976b6b8c9c4eaad8cfdcadae40ad1b136c0d76c5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4f78f1aa96cc8800feacecc30e005b6e

SHA1
9168889dfa4aca325d4b41d7c52dd398ff8a50e3

SHA256
e77247935d292518661a5fffc47e4c30b89aa9ca5869d423a0cc73f500b151e4

SHA512
8e1a270d5367473f82d1fa13ebe3ac0e12c781b2e6ed601230a54ab6bcd442c2149040bec385a2ce7160187fb2bd9a84c1b1e08162bd3081c20cf5710d9663fe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
83dd060ec1f3ade66147b8c515abec41

SHA1
742cc5ea8ed62deadf362a62ca7a905d743f9de3

SHA256
58235d3f7a5817ce17d761ad21f0691bf6276b70eca245c1a0aa5f455fc37f6f

SHA512
892bc74d203185fd0ca7e0b89610cf8fa04cff34a2169e920f4407c4e90bebcb865a983c68acf2ca343f7733c7477b985a20b36e686cf144a25686412fe29efb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bba2f8e1f7d37a4611945333090f71ee

SHA1
2974bd4577af3a4f593220d981f70d45e3ae1da2

SHA256
1177b1ce711736149fcf977d9dc2a9a5d380e54b451552dc3ba24f0896912f5c

SHA512
b3781df7ebb31e981c4ac2dd4da5cf501074ead5ecfacadbcd7b2e6169b3cd3de9992038ba538e38a0c5c006a496db4aa1d21aa7cbe25b8688167aec66ff30aa

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b104cdf683a03f88f4a738eb570efb51

SHA1
b0db39edbad63f382a87b1de4987d0841e8be469

SHA256
197dbbff03eff7769e716f358cd6e20642840c17b931a9c83b4a999a5f055f9f

SHA512
9562bc053b0cf53b25a894195d2a1f7e6512e231904cae8752b65b3a648832e0b8cabea1c2c8ef013b497ed30ec85d14c9cd859aa29a0198067beaf13d32deda

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
df5ecdea9fcce2d194f831f86bcc6be9

SHA1
447e7b975893ef264c779580716e948b83418af7

SHA256
3bd31dd0e82aedfb8cfa0916102bb7582834be7defd4669f1979457e668fe491

SHA512
540008e936ff19360ef7083029774dbc3a4d8a308938ee6d271728214dfd9cd906ca266ecf2dd9d99c6ad3d34e0fa8c5afd5ec8841ab995b564c669cb3c256af

Download Submit
memory/216-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/216-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/960-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/960-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1356-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1356-148-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1528-145-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1528-460-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2068-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2068-107-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2068-103-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2068-98-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2256-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2256-109-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2256-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2256-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2436-88-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2436-157-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2436-87-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2436-94-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2952-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2952-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3028-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3028-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3028-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3028-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3028-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3144-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3144-461-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3592-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3952-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3952-466-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3956-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3956-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3956-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3956-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4000-72-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4000-385-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4000-7-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/4000-0-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4000-1-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/4140-459-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4140-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4140-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4152-106-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4152-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4228-79-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4228-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4228-153-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4228-73-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4300-462-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4300-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4404-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4404-31-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4404-37-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4404-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4588-467-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4588-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4868-465-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4868-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5012-142-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5012-458-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5108-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download