85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
Size

1.3MB
MD5

f0ad6470664fe5b663fdd3fde86b0585
SHA1

dfd562a80639f97198ba54bceeacf61184ff49fb
SHA256

85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312
SHA512

c9fffaffb649161aaf1d1ca10a5ff6801e40279f39295945450e3c2b8894efd3c1092cbb0fa44b58ab56affcae7c825a040d878f0d461c012dc5ad313cb18339
SSDEEP

12288:tT3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:R3sqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1240	alg.exe
4944	DiagnosticsHub.StandardCollector.Service.exe
3880	fxssvc.exe
2604	elevation_service.exe
332	elevation_service.exe
1588	maintenanceservice.exe
2712	msdtc.exe
4676	OSE.EXE
3208	PerceptionSimulationService.exe
3888	perfhost.exe
2552	locator.exe
1068	SensorDataService.exe
1624	snmptrap.exe
4428	spectrum.exe
2388	ssh-agent.exe
3640	TieringEngineService.exe
3756	AgentService.exe
4800	vds.exe
4132	vssvc.exe
1808	wbengine.exe
1112	WmiApSrv.exe
3104	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\vssvc.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\System32\vds.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\System32\msdtc.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\wbengine.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b55815fe293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f896ac17b2beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e978d17b2beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000136fa517b2beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbee8718b2beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e09e117b2beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9a6fd17b2beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2175118b2beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000226ce317b2beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e910918b2beda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029b81018b2beda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4944	DiagnosticsHub.StandardCollector.Service.exe
4944	DiagnosticsHub.StandardCollector.Service.exe
4944	DiagnosticsHub.StandardCollector.Service.exe
4944	DiagnosticsHub.StandardCollector.Service.exe
4944	DiagnosticsHub.StandardCollector.Service.exe
4944	DiagnosticsHub.StandardCollector.Service.exe
4944	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	404	85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
Token: SeAuditPrivilege	3880	fxssvc.exe
Token: SeRestorePrivilege	3640	TieringEngineService.exe
Token: SeManageVolumePrivilege	3640	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3756	AgentService.exe
Token: SeBackupPrivilege	4132	vssvc.exe
Token: SeRestorePrivilege	4132	vssvc.exe
Token: SeAuditPrivilege	4132	vssvc.exe
Token: SeBackupPrivilege	1808	wbengine.exe
Token: SeRestorePrivilege	1808	wbengine.exe
Token: SeSecurityPrivilege	1808	wbengine.exe
Token: 33	3104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeDebugPrivilege	1240	alg.exe
Token: SeDebugPrivilege	1240	alg.exe
Token: SeDebugPrivilege	1240	alg.exe
Token: SeDebugPrivilege	4944	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 3152	3104	SearchIndexer.exe	111
PID 3104 wrote to memory of 3152	3104	SearchIndexer.exe	111
PID 3104 wrote to memory of 2024	3104	SearchIndexer.exe	112
PID 3104 wrote to memory of 2024	3104	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe
"C:\Users\Admin\AppData\Local\Temp\85cb324c400e6ef7647c7b15f27a616a75354e7cc77f49f0936663d3c0bad312.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2712

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4428

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1400

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3152
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
30b165e326e6c29fa3bbccf4650d2663

SHA1
1c41e2d9334fe6300d805c40b1dce9eb95561fdc

SHA256
191742fca6618cba9d16a4f6d813affdd7d6c52679ffa59c467b17116e38f60b

SHA512
b4e3028667ffffe446ec3698c9ac07acfbd7b0007eba5a3e3c81e5e317fcc3da3c76ae5c0d15a919dd38c951589f22165f69ef92c14b3b6219e561ba8c759e92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ca51392fe0c3336ec2b460f7bf0fb2a3

SHA1
a99cda794239a10f8f144c311ccb2a5c3d3e8d25

SHA256
aa32bc6d296d3ea5e4cc859990e051a31e59f1d9635f3eb42e0fbc36b6984406

SHA512
c74e19b559d59d9b5db1683d524c26e58d64f1cde6a751e0b9995e586568a4d3b6ccae8fa0193b64e6f5a39bf0646d1fd7e504a0b95d31e631a9d24ba9f89ca1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
fb395ead814adc66bb5c8b9604305b0e

SHA1
087390ffbe6eee313a5be67b3a8fc4b704444fa4

SHA256
e943a03c5d818df550f2cbfcef860f960b139111c1cf1f5a6c80a07e57b92fa6

SHA512
4e2ab51bb6ead32c65ad1ad7ea2c44ca91d4b46761e9dae50dcb4899b899a891c132bef0327927cc9b029d06b886af086ce6a72997e61fe22b41dad762c55b0b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
428ac6f349a63f3858a0435714f0fe43

SHA1
6036c9058f15313225d7aed7ea1f2e226584813e

SHA256
4061b048496a4d29ecd2a47c5312c36f72aa45c840ff532e8c4540f0c632e49f

SHA512
40b42d337850c51f8994cc6b3f8ca23e13ed4cc1a9aec0a4b8046252faf136b0ee68ae6020b2d4d1a6b07928089960564d1b99238a0acd754a992540bfe5e1e5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9296616d1a3c1eacee8e701127276f08

SHA1
5da60c5aac248d3d53cfdb2f11ec6701e20d4ecb

SHA256
8325f633c1f5731cbb8a17d241f8191e645a32e41155a55853695f488f9e3cb2

SHA512
9f3d44ddcac99fc32b86c060e2c9fd2f2976e2761f7c9f1326d76cee5fe2315226579b764c629d1f2c440c03f0f74bb3c5c4b96d4f88d15fd05f9d1e47ce4e56

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5aaf700b321a212fd2e60d398688172a

SHA1
ead28ac151b91d6aaa212bcd016b89e9299fb3e1

SHA256
c8f9728b30d36b8ba03ef007823c3433ad2e485a3ee0c33baa57f0b0d0a70cd1

SHA512
929fd93fd8057d680685be26a8f5b7b3dc45da283134324c96da9a028b00f2a906b623d17bbedebfb982410e83767969f94f4683a9798adbae7953ad5aa62221

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
7e656647da8e32809fab9139a063da95

SHA1
d169afa078679710ba1f041730fba72098dcd288

SHA256
7ed0296ecf9d5c50b87d27c93315ab9253e3e324d6f75ac7e1351380b34ecc5a

SHA512
d465b6a7256432be1cb81bc11e8c2105c9be29e889d691001806d27d6b08acc87b1dfe293cc67eefce3439a17d604fcaa14dc9b1c0212ca6819674be34142146

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e4ff2c988c0ff2989544da2c6bbdfa08

SHA1
b5da6612455256c881312e2032665de4e803edc0

SHA256
e03320ed62f85b8c50e77a64fd9e6c0289da762fc7778d2e3f556e3aac17ade2

SHA512
7cba7234257033faf99a1080cb54433b51e3bfa9ecf797a22da25c5afdd53ce98604fb76f8afe31ed653006d15bd9bd3aad79593f44deb5c882adbaf2c8d375e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
921506432af278d1b0982d41bcb21e32

SHA1
608461a556c20dac44ce834e517798bbdf7aa149

SHA256
2ba99d12b10c8e07a6836ede314e5cad54c4e67eef42f89c84d88ed202063164

SHA512
87a1139c0b1775b77cf84d13087aa3096634602acd90e0c3cbd5521d948812ae5b9d6bfc09c2904fb82a9d6684401a8046b9835a1be896e58c835f5ee3fdd8bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc29f070e64dab9b4e61bbaf02f90670

SHA1
bdd615e7d8a99c31033d2b3c82c615e87c27656e

SHA256
e15383f9a91c1937eb50291f3d10e5a57d157fef44f12802be0d60852c8f4e15

SHA512
a400bc31651f88ed2d7ee5848b7db18103878ad9beb7589e7adeec8f60dd74662540f51653232b4facfdce9c0bbb47a5a17d73c1600d022b6c5939d4fb1abfa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
990ad18814ee7bce1505a50c78f77cd7

SHA1
7392a7c457196ef997c1081767e6f0b36f708fcd

SHA256
fc7b29d6e8ce93918f2e454a410a0be15ef7cf6a81bf215da529a9f319de433a

SHA512
ae2b1efa091381ac68f0acc7c9ff6cb03961587fcb48a2d9a05eba9b109268c61c038a5464dc89fcda8c5e57c5cc3a8fee76cda4c619f4f050b782f5f769f76e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
67e5fa09fcf64eaf26e9ef858fc3af4d

SHA1
ac0fb4ca384805133b6bc85c6bb04467d2df0e49

SHA256
8eae85d0076ef1794faf4e9d0be0f82a2f0b420a6103cb8521ecc039dcc87b93

SHA512
0002b55020c8f25cce492cbae351d03e738e5d62d883b05c455911bb430f0c068e0e476d9601269996a77645934ec34497e069ac592800b86dad20fb8b0d8c4d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
50ff591d289ebba84650f64b1a7e3850

SHA1
51c7413bc4640fd6664f7e26457b320f5e84c4d6

SHA256
967994cff41e4e507c5c3610603c04c7f21e8e026e7b0b3d140e1449f76d901f

SHA512
059162cb2ddbee84de84038f99d9aec77d6edf6fe8ed16be2880007a250513da6abb29cf5f7e9b8ef9b1dcf81f31c9199c9a67b5fef0eefecd475a6bae6e58f1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
174ca89bf7b02a98710afdc2dfbf264e

SHA1
91bdc61d5ac2ccafe175b411c893b713a1999fdc

SHA256
324e821de49f195e73bcef93a7ab0dedeafe5c32871b6c717fd2935f604e7106

SHA512
92cdd709832e5bfdf2da951b856e038923fb23fbdad83353a1f4d0b192324f89292943ee046c6d71afbf3ac4424ec33683b880c98969911e1979bec7a020d3f0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3e4dc8fe644c45c71efe99c5a70e895f

SHA1
ad2be2857f4cba8340c74ca292c472b0911fc80b

SHA256
915ecc59a71bc2c993ec2f67a6d0a8e630c2019e6d838b1fb05d220cbbfdc4ed

SHA512
09d712d5b0fc39e53a52dee1ffb71e52d68a76f789da59fb43bb9092bedc246d2aa51a23292d48ff9f7e16fba0ab713dbb5882055cdc0e989b184334773354b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8b3eda584e8352e708985dd06d54a4f3

SHA1
fd1ceaf914dc768c69e95eb684a9bd63cd29de27

SHA256
907ccc4e52c8c47e86b108213bcd7e6a3988950e92a635f99fe68c4505d72a3f

SHA512
ed1da74d2c94ba6cf35cd00373c7411833d901c6057a9469c278b097753f5f3435036e1305667ccde60b0e8f6a1fd23102a492180dc93b6b56a76916b88e2081

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2e5f372c4813a251aa50bb5d93188868

SHA1
5f395d0a4646898f5eb63daaa99b396e7307d4d5

SHA256
84dd338c0b7e60d7cbc9ffa826c440d56bb10920771567ac1db0ed8a30e9ebd6

SHA512
78e07e1a44f2069e747809e4d8c4a6f0e457053e68a73ab86c29f098a7859f5216c5f98f2109c66b5345cf82466a95203f5bffd364d4c0180da930c9c5f08555

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b5f7c41d0717f59437758d5c3f85cd69

SHA1
3026c2c3e053834a406d3f96b4b6d9399b273f58

SHA256
885c49e22aec29fb754b63012a3b8bf65009d4a5a5992927cb526e67b679dfba

SHA512
2efff75910408f129d6af09de8dfc9c119d4db3d7323541a04d3b6d6f19b8db23f6239d4baafe7e1f7655f6470887075118ebbc2d688d9d95150bb4552bd3aa1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c40a175281358901b8ca824c6526a245

SHA1
c731da0880ee0d574f3143c7284724c06f516132

SHA256
bcd7a264ce525dc178c59e5c34e3a7d74dd099a7271b54029f5d9256dbcc1c8e

SHA512
d04af630a8c610aef3563672558ec3846b25abac3d4d718ef29dea6c10a1b30ce1f7197e092088ad7f80d70dff3948f10f6bc83dc7d329d980aa2b6979520e36

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ee1bba11c74586020eb849cb4a961790

SHA1
adea341d9f881242144ba76cdb1bab0511391ade

SHA256
3fc986550cf5d311ee2ed5c82dd315cc4ed5b02f6fd2783bef1c00b42eecebc2

SHA512
39860d6c1e4943973fa362b6abaf9b3040bb16297237e4d04c340248dbb04bd5c8c71ffcaab95f3291cb036e8a85f0fcf05068ef79cd5af4cf35d154a82c5fdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f2aafc7a80729b67623c5da803300f69

SHA1
bf3077ef711f16953fa36e519aa30377a52233c0

SHA256
ae45cc5e56a3b209d57551517d4c52c5603415139fa0962211d5bc0cc131e83c

SHA512
b60ba27e790b37cd5391a56c87df443aee12d3cbb2e854a8e4f47c32e4e7de872f02122b9001e4a92c000724efe8e7f5ed0b7e8cb01bcd5ec4d48cc26eadb0b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
eacb425db4f0fcfb1ca7a39f4b51fc54

SHA1
c5202d5ca2ae3d1c80eb069a801c796136791927

SHA256
8eb822c4b6c3ce9916691f4bbe2dae9d4ce01d8715449c25b69a590fbeffdb8f

SHA512
2810afe3eb409f769cdcb4c16ada59962cd35fec5775ae5a30c6fd7dedae53506e915cf53d7c1190bfb064cf78b29b9cc1bb19141f4dc51839beecc6d9a47137

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5cf8904560b73e74bab5b67b48610c8a

SHA1
6d34ec42b51f7a2a95ef0b873b6b87d7eda12014

SHA256
2ab7529543d327c4531643d899cd37457f4bc0dda08fa473da66b6e58116e4ee

SHA512
ccebd4023abd7661ea39970efaeff070af190297c788f23cba9bb66517b4773bcd064f23d6e3686d97040f47b49f9e3a07c78cf6a84d02682544d28cbc3593a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
dd899b476ed485877b8ca11176760739

SHA1
44d3f0cdcf0bef6e26dcebf603ea61f5e14fe512

SHA256
2fb71d72c242e30d5ed2d7f6bac0f6d0e5e5cd4d225e5c095e85570b33a7e776

SHA512
f9a0970109fe889cbe26df71e7ca5e3a02f95457d006268de23443f8a2a5646338bde05860d973422495deffcfc1606aa769181ea246f45e86def6eb20315a72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
ade01df9839cb94fb28244f6985fc88b

SHA1
619b1ad36a475893acc1ccadcdef961aa8d3d280

SHA256
2fdd3de410a2b114105acb7f3547bec58737129ed7329bd30abfd81e2a1ef039

SHA512
c15e90f65d7bfd7db384da7449ef6b0fbc0ad2793a4122b33603cecac048a8d0f15db52482b386c197c381a00a3371920bb594d6df59a7b886a032c518c8762f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
5bccd130ba7e48db79413dea4fff6c3a

SHA1
f393a85118727e06207bb523e9d78dc651c335cc

SHA256
869ab9a503741abf6b37e396640acd26f2076edcb9bea69d3e2926af2849e815

SHA512
a1be75b384e32c366b87618f079fbca15fa356381ad53775373fc6d01e7e9de7b95c66d1ae3b14327bbf3f113552144a405c880ac420fc5512e69fd55919a0ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3bb91dab651eed8ffb46de7e1dc2ed27

SHA1
4f50eb3b5f3eb22319347e660fbad22f29b62306

SHA256
cfa3cc70876d5cdbe696fb48f80db3196065e3c9ca4f530e8a6ead97f79cea16

SHA512
eaac9847220cf63850162fa51785c998e701aabb245834f00a90e2dd8e7f66e4be3767bea7b6206b67de2c7d249aac643fd3d653e02c4a1bef32b7ca00027c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
0cf107eb5ecaee4f2e4ecdec8b2defdc

SHA1
73177f0db638a4fe66c0e2d1a69a4024e52713d4

SHA256
3345ecb81bca9ded6fb707c7fc6f9779eeddc89ac38fc48d586ffa5681df2895

SHA512
e481b31ff7e23bf9d4de95ab95d34df7adb96b0dff1dfa27f05fe2cc74e8be7cf0ab024b283782c2d5f45f9294212e8bbb17bb1a7bd6775c4e934b51a1b2ae6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6de902c6561c6e3b36af400d68641d86

SHA1
8183111427a6d9c91f21dd3ca7b0bcf8b890172c

SHA256
6b496dce91093e5dc672d66856cb850bf463ab284a7b4f262ff14cb8e5ba81bd

SHA512
5a08a0a7c88dbeae57619ce9c85fb54fe936c2196aa24db8483e6ea8029a5aa4552436ecc02ca85b1d944053e77597d541fe954eb2f353a59190ebc3800ad182

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f66c7eec356854955d9e5c8c2a8c65f9

SHA1
5216edbc50c8ad559588f9729b7a2445b067e8ac

SHA256
9ef5552302bd99a94b338e30163e058f1a611bddb178f1ab068f2557f3c4f597

SHA512
356a6dc18cece835c5d7d996e1f8245271bf4cbae993a70aae728d0ae871a89232a50730a2f9a1570583f3c5ef6be1f2024b04cddd91ba4470ef0a63ac73c71e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
6b68be59d4e431a161f23096660e1165

SHA1
d1972f15f427228d1558cae9cb5e578fda87d6d1

SHA256
02aef7ed783c3c3c6b350bcc65ac1086291ea919b913476750363b14e4eae819

SHA512
f2ac37ad29561aa70aa63b198ffc006cd5ce15a3d7900bbf092dac5465aa6db852ba4a92245f61cf386b87d1bd0e05cb041a6a0b959e592c457bc8583cdcdd6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
1231f3f17703ec149caf353bbd6757bb

SHA1
e73799e73b9d5b16be3c6a12e055b4a04c15458e

SHA256
adcdd27e7e7feaf3ec35f37acf01aa824184f406b076400868574149eee4902b

SHA512
c99e9455d30092c29fa54a4521dccfd1a06be62b2165d882c0d79e01be08856e312d28054d741f367c78dce0d965535dd1b24ad366b4a1d14c560d88b392ab3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
8442b2f93bc0aa34f503976d42dfbafc

SHA1
10cffb83d77173fd18d58b9458e159f06f24090c

SHA256
21a7a0ddda3287880a1a55c93d4b13ccf0ccafffbad4ec5ecd2640d44f2b78ac

SHA512
8d4f10498344260f35d8dd7cb5d0c692f3d0014c521abc9829f1af06b296de13f9ca0bf9560713f842cc30fe669bbe95b2040e0882907bc149ce49e5ef7541bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
25aec97ed7f73919420735bb1127060d

SHA1
711a1b9608b36c40e1b86e2653eced3bf3710a55

SHA256
21a68006a42e42dbc4e93a4198a7f9db9aa310e165daac9e246a1e437d654a02

SHA512
913be737f597b316e9aedc50f5c41cdd42297600f8304222b1769fa6d9d25a04c699cd4d360f4ff379f3ee7be10d195446d2384b6e014a7eecdbfe9f45349d6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
f9e0c0e2b954ce2c814450c1a97dbc04

SHA1
e14ca2210cc090fec26a984bb2a966bb630cd1d5

SHA256
b118788dfdbfffa3a2a9fdb5ecef3a7f3210661c0718a865176eeef835dc85af

SHA512
ce565526f15372d244dfd418776bd388e6c868c8aab077150d0a47cddd141fe108533f37d6ae3e409bcf9d34a88b0334827daf629723189d0e400a2a221636e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
09524ede62d3f262d6948e34e0378b2b

SHA1
8726147590ba40069e003ab844ab8ad8c27c6d8d

SHA256
29d285668a1fedf43ba66d81c87673028a2be240e2863c071f1d276bbb2cf4a1

SHA512
be4f17c0e2e6ef868446edb6493b55675adfc4fd8c4d3a2ff38007a6f652a5b71f0d65dbcef31ec0c72f71b1d221f60e35b6e5219b88bd07309da910ce796867

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
b2f97cdc684fb126606d2ac8b9ce5316

SHA1
746acbfa91e18358c92d7c7d51dbe603d5dbf2d0

SHA256
0521819acd141392acaaab55f4e4ea40e3d62131541bc9976b1a5407a9a4f7e0

SHA512
cd673fe0b9f0edaae49956fbc701e6bdeb4c836069c4d110fd91a3ff9ec181383cf2538ede383090d894c24860d5db980cbaa841b007e338ce7968f8dcd8b383

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
021a2ce6bd78c4f38ae4838821d3a1b3

SHA1
5c92ebfc34d3bfc56610fc4276ce77cc8f8ba592

SHA256
f93fac2c293342d07a43cce2a7efda589576a4963291d2e029e5518d95777df2

SHA512
f53485fe745ec32f9556700a4e734fe978c7b157691e355b73ed0540638146cac3a41d63f6aa1aeee7bf74de8c2f17153b437c9889720c193541afbe857c834a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
71de84e7fe818c574300ebdfc4ea071d

SHA1
f1c0ca75c7a0b8998144a82d683dd1ae2a13ad2a

SHA256
75a86bd9e4f9dfae478d1825ff4730b40c9897567f8a43a69137336ab6e08b06

SHA512
63278bce6eb5ea3cef8613e6f26dbbf0e297561398d06449f9ec2235d0f4bb396bfb6f91a9d8d2f9d9c4eb568e8bcc8d5bbf1dd647e92c9f9f6c0f95a7634441

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c1e1fbc18969443f8879e8134ee1712e

SHA1
20209d2f57cf95770228245f1762078c31448eb7

SHA256
74c48e3683cfab5ed97979f0923b39ac5582b488bd10de3971b9ec9e4fa6653d

SHA512
60870ac219d4fe66c4de54c938c393f53401b47a930f6ace809e96709731ad694a6a5a4fc444f1121b03ab0e2d40ad0249b434b893ce89444d2128b0e90a7cca

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
07ca64ec8034ea12b6af26f7229e68a3

SHA1
412acbb5292924fb870e2d2bc658802390f4ce90

SHA256
67d89712993dbee63667d1cf432c97069bb7ec74f9b321afef9a7d0bb9cc8523

SHA512
3ddf66233efc945526af7f81617ae31c91a5a3f37071df5bfd2959054db5d2a1707121fa913de66ad7caaaabc3feeb06cb9fc695e5699138616b35fda3d3824a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
bdbcf0ca2c4c9bd010c128bcf128dbc5

SHA1
8d810aa07817236e7812bfe53852b5078cfd32fa

SHA256
793b08f3f22ddd46bc77939c1800918c938b8e4c49337cfbebd0cb6ae2338bab

SHA512
527e7e72a920e01888f6561e1be4d3660936e61d8271f7da9d486aef94ae554d6974be5470aa3865fcf8ca3580632eb3c25519e72bec36a30173985b1870695e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a5d8b495e560aa941a84f3babb1a1266

SHA1
315f5f47fc860cb15f9e92ebb0a3313f940627eb

SHA256
a97727b81144b87b196c4f0019225140402763d7ed25d5c4bafa5600dc1d1375

SHA512
68bf33864587340ff112eb72809c86d57de589b82acc97e1421e3da207ae477a07a4569f02a4949317e910abf3c40201e4c7932a47c17eb9a8f64e56484af8f3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0fb705bf9551bbb1086575d16bde74b3

SHA1
bc368ea65e280cc4f2798a9a99423e2ecde0693b

SHA256
5bd3e94129217823b87cb912bd5f4da0f22bdc47a9c09addadf65ec2fdccb688

SHA512
28d7d6bd0f0fc806cb860a3fd7335efd5550fe87b2c028b4cf0c0198375af284abb53650a848503038b34f3ea65a8077572f08679f79fa9a047152905bec2121

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f06f1de286f954c62fca5af146bb46e0

SHA1
aa086d3076090512ea29e04325f0546c422de56e

SHA256
c7b055607c7a6c2fecf0519d967aaeed502f1e8678991f31f8888c5447b4f0df

SHA512
5c096a8dfcdd0e01152d638130ae224691126b6e369becfd7e558be183e900c22f53047c47c9926ff095791ab26e26ebc780435b5866c8a52020863e5c5b33c9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
703f78ddad34702144cf76478dbfe223

SHA1
e308743b02c16a6a6e279581725a54c9da1e4c2f

SHA256
9b5cf9806b348638bc8e2ada4a6f684766e4b9a1f8e78ca9f20a605ac6d257ff

SHA512
ba7e0503275991c6d0e0b0b3bc7a68ee4bb96dfc5dee1085b0294f5580d54495f87e66c15f62fb0b17fd41cc151dbf010350530ea189a053423fe8a48392ac0e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3750f44336a08c4fae8e9725570f9f42

SHA1
27820a0b67cda3d548d338e5671da609cfcf97d8

SHA256
a18d0bceb0ef2202a5bc18c25031bc0d5601ef6ba7322d4b1632796dcba8a419

SHA512
4cd4bbf8e3fda17447340c8e22c66c6a35912032753cde1a985d45dc8e07b9420e773113b3d64e082e6e1316ad50ab6473efde48a80074a4ad88adfe96b225ef

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d4e55a380cc85f61fa50bbae1cb57188

SHA1
859c175e76e5f0ae3939b234916bc2827ea79c6a

SHA256
1a5a0ab83722db5ab005d0d1f3a66d5828dc79df0018fa31cc2e7688f8ddb3db

SHA512
73bdee932bd95747903bea511936df0c689a06eb04fd215de6b3af84a50f1f091f671255a98b2166ff01c0ce7eb948213869d3b3072830871e970957f7f430b8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
23e7ac051b0dd56029543d5dde6ae967

SHA1
fefb3dc635431152e10839ee57d50edf494f124e

SHA256
19f9df19d21569e91c68a9b946460e75c7be7757cc65234081f92601c2980dd2

SHA512
6ba285389ed0fd66b00722c839df87db76e303dfa36a23a325c8c3c84d887735cde039e2fd4122f25882444bc10585b2b0534ff09cf653b6a312875087eacfea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
170387bc8b7e750a2513f98135e73b51

SHA1
e714b6ad407a09f8e63a8dc1ddc11014d9170a37

SHA256
f08c9eb9f1d8c626c7296790487a12abeb2d143a812409d963bb6ed465e10ef0

SHA512
2cad228b17bde46ff871a90285c28f3d187c34a9c5dec7bddfe1f9346c534147733dd210eac38c8640b4e2b56b4e93e7063bd1880baa43943e656d36703011ce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8bed1cdcf0b7062ab7ec96ff42284341

SHA1
649a591eaa64fa3dddeb36aea395173c5a8f10df

SHA256
afc57e114515a915ff85a9516df6b53c590868226848471c5689341fcd4835cf

SHA512
b1dd7e279e5bafddddb9bf53bfe2a55d3aa3d4a9504a9896fbd0184fd60f80f34c1934aaec02393f1c587b525522a28a62d8a233097e1d9f865dffd7796a6532

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dca733fdaa860ee74b68767935d9a4f5

SHA1
1d097c868fd85f249a1f06af6f9f883fc3b8f7f1

SHA256
ef29334dcc5946e1738d6b0e9e98439cdedba461a5b4954ab39cdd08463898f1

SHA512
a6ecb0bfcb76115c0ed97449425979f2ece07743627c61cbc687679f16e1b9c8020dcea473e64d1b3cb8af0927f79c02eca6a60b97afd98f24d620c3689ba35e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7badbb0917783f3178d0dc922f1554d5

SHA1
729fe87fcc6882691fb5293e00c251e99ce7d418

SHA256
490e37cc33eda924d9273ac762e24621f708b8985414c3e2f312cf4a15701fdc

SHA512
eaba40ccb12793a9d2ff1b11bad50ce01d908dcc44c97d5af195d72c623738bdfeb67615cd25a39cd01c04070452c6852691015a82e94190eb09737366be6d50

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
24e9034c9d8c03140340e8b562327aa6

SHA1
470accf5ce77a27a0b6787572adcbb15777ca995

SHA256
7e7365663e11896f3d362155227ec8d5c781014c1a61b1b83079c69e6b080ffc

SHA512
fddd71b9e6b12189795295fed0ec52a836e20d3bd5e13ba6eeadc678ab0c7bfd0929e9fb442e559ddf49f85b4deaba3ec9184101d796aad7846836d884afd9fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d27c8f34632aedfeb75f0951528d9219

SHA1
8c60f4aab1a112f777beff182f33988de33be23e

SHA256
edf0cb1958d3072f7ecfe13bb48674474df8c0de146f118e5753243025861f99

SHA512
cb26858125d6d8afce0295683cd70bd0849c740d2cc6fae8fd7390deb3c6bc9b4b2984ccbc6033b2853467d3a48d135f456401068b6d30546c44cc09e8c73fd0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
351ff55f358bfbedeb172b07f26a213e

SHA1
19aeb763c6e8fd2d29885e00f7a954f4e582f7d6

SHA256
39c8c41337717f6bd746a818af81acadf6dbe3b97bc345af9eb3ddc0724cf5ef

SHA512
6f36e229cfde7a88092d90364ab2c16ab58283b267307ce62dea91dcbbb8df81617b9246828cc8bd1b973a152ad484542db94ada221e64fb046f32ffe9c70071

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3b55f0882dd7fe53b4858a635e720e38

SHA1
942233c8da76585bee9f829ca6357d1f85399d6d

SHA256
169b68eb939daadf503be4010156621e8040ca44303f33fa69357a3e4690606a

SHA512
92098394131c97d127f340caf2e744b5b043be49f79088f8922f6c46850451b5633284239c35cd3ae1eb6d33dee1624e2f16633952927b658cfb465a9694a9d0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0737bb0768719f7bdb3f82ba903c19a8

SHA1
9a983ae73e200029192d67c5218f31190ad62577

SHA256
43d40ad2a3a92a9dcb4558dade0a9fabf534f597282a9d96555eb9a63f251200

SHA512
451cc54536eafedde7ac09b7cb3165a0c0b058cbadd716fd46172cc8d53c010f6f3aced72d9844b171bd263727eaabac36b0d9cb6ce4b174fa425dfa18b68d1f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
46c94f3209f40baf3b6bfbae534fe108

SHA1
1150f19a7a53ef118eca2d73af20d3121273c8f2

SHA256
5de9a8b8ae7ba00ce52bb246468087647df17ff472be36f366da6cbe559a563b

SHA512
a04a1b11c714751087fcc308757e5c9c6209cb3ffd890d56887f087ec7f4855429b346345ffc44eda14d6e441a58a156169ab0d1e017ac700f3ff2cc92ed9176

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f3ad8222bb8cde4faccf8527941b7936

SHA1
e09aa4b63e4896613f690b76cba6d6883c050344

SHA256
99ccd3add347815baf3de6fa63f146abdc4cf2adda808407f92b5b6cf80c33c1

SHA512
cedb45f72768171dec89073adce9aedf98af5d12dcfee5d0123e1fef77f2b199a7c423da60f258cdbd45ecf01b04076eed706af386d3ea10f5f4fd5a9e68033c

Download Submit
memory/332-572-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/332-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/332-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/332-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/404-1-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/404-395-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/404-0-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/404-97-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/404-6-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/1068-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1068-535-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1112-267-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1112-577-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-20-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1240-19-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1240-11-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1240-110-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1588-86-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/1588-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1588-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1588-82-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/1588-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1624-575-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1624-162-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1808-265-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2388-261-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2552-149-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2604-58-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2604-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2604-51-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2604-571-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2712-88-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2712-98-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3104-578-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3104-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3208-147-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3640-262-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3756-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3880-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3880-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3880-46-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3880-39-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3880-44-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3888-148-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/4132-264-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4132-576-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4428-260-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4676-111-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/4800-263-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4944-33-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/4944-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4944-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download