e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
Size

1.4MB
MD5

d41df7b49bb7458ae72d6860a96116c0
SHA1

343627bbe816bd1fe72379157969d98af2c02945
SHA256

e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01
SHA512

365a10a97f3fa8fb718f88b660e2020185eb2e2ba4cacadd7c5eeba98757bb30811b258ca35e56f889caca609addb54613509634de733ef84d9304c92644c0b5
SSDEEP

24576:B8CF7ldz0a+6bpVjTUIBSnUThwMt+EiAkbwRobfHRFcbK3eUKUzy:Tm6lFTUySUTv+YktHRFcbtUKA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4344	alg.exe
3952	DiagnosticsHub.StandardCollector.Service.exe
2272	fxssvc.exe
3040	elevation_service.exe
3020	elevation_service.exe
3332	maintenanceservice.exe
3840	msdtc.exe
4800	OSE.EXE
4392	PerceptionSimulationService.exe
2976	perfhost.exe
5012	locator.exe
3780	SensorDataService.exe
4420	snmptrap.exe
1920	spectrum.exe
4452	ssh-agent.exe
928	TieringEngineService.exe
1968	AgentService.exe
5000	vds.exe
5024	vssvc.exe
4612	wbengine.exe
4908	WmiApSrv.exe
4788	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\22dd0ac1293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\System32\vds.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002320506df9bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bdfd06df9bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf59106ff9bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b3a4f6ef9bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c74696ef9bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025c5fe6ff9bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000807cce6df9bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000155b4b6df9bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3952	DiagnosticsHub.StandardCollector.Service.exe
3952	DiagnosticsHub.StandardCollector.Service.exe
3952	DiagnosticsHub.StandardCollector.Service.exe
3952	DiagnosticsHub.StandardCollector.Service.exe
3952	DiagnosticsHub.StandardCollector.Service.exe
3952	DiagnosticsHub.StandardCollector.Service.exe
3952	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1416	e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
Token: SeAuditPrivilege	2272	fxssvc.exe
Token: SeRestorePrivilege	928	TieringEngineService.exe
Token: SeManageVolumePrivilege	928	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1968	AgentService.exe
Token: SeBackupPrivilege	5024	vssvc.exe
Token: SeRestorePrivilege	5024	vssvc.exe
Token: SeAuditPrivilege	5024	vssvc.exe
Token: SeBackupPrivilege	4612	wbengine.exe
Token: SeRestorePrivilege	4612	wbengine.exe
Token: SeSecurityPrivilege	4612	wbengine.exe
Token: 33	4788	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeDebugPrivilege	4344	alg.exe
Token: SeDebugPrivilege	4344	alg.exe
Token: SeDebugPrivilege	4344	alg.exe
Token: SeDebugPrivilege	3952	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 3016	4788	SearchIndexer.exe	111
PID 4788 wrote to memory of 3016	4788	SearchIndexer.exe	111
PID 4788 wrote to memory of 3516	4788	SearchIndexer.exe	112
PID 4788 wrote to memory of 3516	4788	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe
"C:\Users\Admin\AppData\Local\Temp\e34610f58d87a0d8d819c6d71e21bd3a3eb1443d320b10f6818152b3c87a7d01.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2120

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3840

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3780

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1920

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3016
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3dc9164b97700870a466dcedaef73773

SHA1
965ae2ccf4617b816269f8e4e45eaad92e5277a7

SHA256
693b2ba956dc4ea7131ef07783a0249302ba8e72cbb9e981d65d7431795b720e

SHA512
b1815e0ee26a317e5c62a99c271effdbab669bea8a2ecc13716129d77a20d803b1cee4c359dc528d32340c3099b267fb4b7d161a6f31a978baf4e4bf36a69303

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f94a13d8c296ed5c30af4429d55e5030

SHA1
9c9d3d5010ca1edaa299095d71e71723a2138638

SHA256
fd2fe6a4c1945c610c8043493d512dcc4cfd854019c7e7fa66a11412cedd8585

SHA512
0af2a785ceb473563d5d25ef6b11efe45c5a506d46f656d487b682d21561ab57622054027f072e049c334ceaf117044a6fcb23bfb855c3480d2fb39839818f7b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6286417a385a6582a2d718bc4bb8d2e5

SHA1
f88d692a26aca93a517c7f7e1c71749427cddd54

SHA256
4c48fb2fab939232102b5f19c347e868e07393275795d0b6a23ea6e8ce729d13

SHA512
12434f26190360bb3efa3d8e3848b3381a85d97fce4747c670b5ab1b14eb58d48fd7bcdef622f52f905027d09719a33b63d56ac6bb1fc810ba0165997d578b88

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cfcf22443ef076d8b3ff4df5fba8cf86

SHA1
4aec4ee1db260842f13343c238e7279025b5411f

SHA256
814c5588a31044be0116a79bb168db74cf9c19c4931c46a9a651753e4b0ac4f3

SHA512
0f511f4fcfa94c142305ade17b984d0ee395d047515bde787eb669669eb5f080d478bf2986f53ccddf09345a0dafbc97a3987969b96b707148ac583641cf645e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
13802642f7e82912abf49fbaf0124009

SHA1
362d37d134c2a5a22cf09f921a35b1a87ee8090c

SHA256
517b2854729f03897313de16d3f0f817a8491e442bff3ba8c407dc2cb720f521

SHA512
825e18919773a86b53117d46a07b705f67f9889d082d84f451f0f0e0261a927ff39070b4f3aae9a9f4e8ceacc5e3a347bda427b8b75777bb7a42d7df6557d6ea

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b45e92506b60b1550096f3b08c24fd48

SHA1
9c8a2c8e3c018da91942d1fb9741ede6a345cf1a

SHA256
556d02c4a6d84d5f4eaab69ed03e5f485808dfb96887557daee27c8b8fe9cdd2

SHA512
5a7e76f8a1b83e972d4b2861d69a14a3b34ca18936e78ce4539eb85a5910fba1dd8738193aa7d456da2772be28b7ba74b0e52ac64edbd9471375f81a68eb3583

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ffbda22b32d9ee8dbd3fcfbdc7a83409

SHA1
53cb0452a54febe031d0a93ae1dd2fb7bf116487

SHA256
c2da5ba9bc6972c0f46aab8d8fe7c15598829b65806ebe54fdd93597be428f56

SHA512
2a4d15cb41cd69fc0ad8e4ffae9d16eaabcb74d4f6a52d7da9458950a1c1dab69e6f6ea579d4662a066ec211cee5329f4279785a460d4974a11c28294ae549f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
70bc044e288288e284bbfe66ffb3bdbd

SHA1
f8238cfc32bb68cda3dbc58a304767d09e152f9f

SHA256
441dc5af9d0703a90a266cb878b20a854b64bd0086b9234f732fd2bd62bf7e2a

SHA512
32cf59f2a2e22f07dc9800cc631acbda0e58c8a5bd6061d9a407fd0c45d287374b0fdcec9b89482af221e9d5dc9139179e0cc7c00e54eb6eed9b0ffd0de87ec7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
cf15c3f0ac1d25bb9a82c63fee7e96c4

SHA1
6f38101f10c28acee670d32578b19902049cc0f5

SHA256
e26c1cc5eb1e232ee1025ea670cbcd46a5a4cd6a14cbe04ebdf1a304fa9d8ccd

SHA512
b745ebbe6fa48ff678cd751ca62cc03fe1a50095f3fb9421c8b6f58f7698b31ecc37ffea2db08424a4bc2f086c963ffba791936067008188ffe4bbfb19bb5588

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
40be43e97fd3e5b58c434f83a70abfc9

SHA1
c31df199878a4dd197417dc0ea3049afb18d2cd3

SHA256
95da2b39a4e35407b3e69cedce6f90a5d21f4c862df5f0469adfec5e25b8a57d

SHA512
c716de8974352a3011f1a38de73032eae5d51f3b899c1c35de199e8b813e37cd7e102d66f988a736b54969ba98cbb3071571103f8cd7a0ba62e3e846a2d59ab7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
db186ec0a290b606f9d73d581c0d389f

SHA1
f24bd67ca034b5b96941ce5ce42e4249833ac221

SHA256
004805a6f032140976a1661de18ffc05090bc886fcfc54839ef5c4c9b6e7f047

SHA512
6dbcf1713e0ede38c2b5232c90379b869615c8af6361a883bbf19d2fed223e79b1998eea09a1e7fcf964b247358695cc08f2adcef5abb8379abbd9cd3ecc49f8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0716d447164774cbce63db2eb801db3f

SHA1
2526995bd6886068a82b97eb2c211c6fad82e079

SHA256
3dad661eae5e4f9f36e9f4764848672043d88983d1d162ddf5f2126bf9deb835

SHA512
1a7518ad8d9fcda7762cce3ac8ab26702e21d8120eba3381191713760433e61c28892807f9d667b1ca39aea10c675cb29df5e45b2f5b41cbba66bf343b454876

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
48d625cdf3b700b9ad21c47319b29012

SHA1
eacf49a029464cbf6b1bd19de47cf1363e8c8b54

SHA256
c630e772e27e423fea0e5fc31545631e2babeb635f0fc6ec93f7724f90a6d41c

SHA512
effeeee53dcff4de1575988330eb033498ee4bbd73c6eac38ea988e9a78ea18d65e131bb6cf15af369f41fb7bb80b0d3015ea912066c47780d0f3835a259b42b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
eef3c577f1369349de01981860ed2c46

SHA1
0e1aa6188b60e9686e220c4be1c1ff57e2828594

SHA256
3eed73a7ab27294e73a2343f1f0ae406c7e433a2b11b4cde20bfac1ed0494180

SHA512
22df3f547628c2bd8cf504b215d1cd562e2193d9d5fd4d7da1cbfd1913d225e83f7d9bcfbdff0d3ae72915cc4a5065f1510d64021722c6a1a89a1d42b2832b7f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7d3a067f25c76d7102903d5d0e26d1aa

SHA1
32949d0d2b52535fe4e75e9a48cf14135fbc586e

SHA256
079ea8b8f5d28bf6c3c07e8348a6e320d3f4b6e36d5c97cf3364266ec89da93a

SHA512
a88a99d06e0dcd590fbbb10454dfa3d0e75c8032dbc5b2adf906c84b813534385eb9328f228ea429757ef5a94f9df3aa75e133e5a0bd51e6b7c92aa3962b9d2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4e4a740e7ea076de2350704a836b8aea

SHA1
25ec0859a033ec8244b69683f0107a0bd7fbb23a

SHA256
4b64f757278bae8b7d42bb7c445f84391d81f2802d48315a42459b52f1eba109

SHA512
84f31feee2fe6de2944efc7463384e8fb44e00097b9cb5dd4f975e5c0d0907dbcbe43a8e91894c218677f7ec93be8b22788ae8ee00fb2fd5390077dec3e18662

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5166b0828dc0be12a8744c2448ed779f

SHA1
268abf68a5546e4a05ebb6a2e4bceaf9423d1c8a

SHA256
c050c5139b887ec42d6ba220d7ebffa0ff194d0120cae20349993d582e4bed8a

SHA512
6eb3f74fd87166ad422938c033497fa2136d5beedf078ac2a266940f3304acf6ebd159e2fa1a5941b4782f241a3bc5b0f5da3c0e783b727ea1631fa58c7858e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
82e977e1d0f4e40085d91c344211a38a

SHA1
d91c2471813b27a656fb4ac9d2c1576fdd166eec

SHA256
29bea0d9d8ffd407e6cb9b8aedefc1d6d783d309851a8771b3d327c3deffe9d1

SHA512
53a8c1e1549e448a76ba7ae2a609007f22357fb7f1e3e37bac4b3edc99a87711c14fd49c7a8f051d0cbac489df340c9e8118de0663dc48a3db2dd7caf9762e50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
be4aef8608da6b8d9fa6ff550f44d3ba

SHA1
633bd3379170330d9ef5931654203cd1e7f97061

SHA256
9ba9055a99e6de3dde3f4924192375dcc62c7ea5f321d43c44f36bee0c919b10

SHA512
629ca3fe77ce57201d302a5a5fe1498340b60d44f31fcd9c716d5c8529c0348ae12ec1fd4c4fdc529564dd3277052a66f5b4ed6fc879cca29a6901809bf2c7cb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8498562278dc82a14ea7be2f84da2917

SHA1
406ab2e1ee001f7ce768a34e81495e0f9d16b214

SHA256
378f7cd052a4d5c87d9ac44dab1eee4ffde2d929bcdbb4b94be573c79d06c0f6

SHA512
b19e3abdd8c8e9085b0c20e20be65503e6123f94250c9a2fdcbea9656ea7dfcfde1421071792728614ada9a40dd23f5018468a47de7a7edca91f1355e00f5114

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f0259b0085875aa74e36052ea04b969e

SHA1
f1a5346a0e3040029262e27fd248c955dfaf346d

SHA256
dca40cc5c057eec2dae7f8e6b351d083857fb165e880cd5a0c2d0f54a3e6e1f5

SHA512
a72a3e50ad7fa7d6e405b0fda374a3070a7bba3f4185cf31649b2cb0a11eac1daa4de9e6a7d95b69a28f2c6af31c2bcc73802f227ec0258cb0b33c2a1a19d64a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
72841375a3d1f334687afc3e99525077

SHA1
801a26a34b0ebb8e95f4560d851c946f3fa1c4e7

SHA256
7e0589b872a7938a3a3cf8cf889c6cb4a996ed240e95da7eb33e6e356d1cde33

SHA512
3ca6e55140038ba7bfe9853762873ee2a44041155b11d15be178741d420d4e26a2802d9ed57b1417fe5122e1c449cc049ef88d0ee4423b6ddfb44f563b70dfc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8cb2aec301e2dd07bdabc18c30ec6eca

SHA1
3550515147608d2c7bece3fb14b728cff1a70ff0

SHA256
55446f5ba88a55b6ea2e892e6471274e27722a37628ef83364d627abe7c82ff3

SHA512
cd8e3515764c3940804a5cefc6180fc58d76922a705dfce016fb15dc9c7e7ddda7754b42150e32078480f21a5a70207af8cfe2fc1e32f13403c6b23543834a78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
75994bfb3c9628f26322303b8938d178

SHA1
f133ef2f41fbb602c9db6f31a5648c0a50df71b7

SHA256
dfedd2d8e1fd3e2fc4e43736193a958f87b7ce8b36b79dfb60520644a5545009

SHA512
7c03c487f2ce295d0e0c6490cd1bfed62855db536320f2e660b4d4267601d5693b9722bbf1858cc203ac719d18676c80ad0a601490b4179270a4c48ff80c5861

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
705b0578216d9b8beb07fc7c2a0818eb

SHA1
8b6103d84d6d76a04fa830cb4f1727745e419d79

SHA256
1efe3db5f03ac8cce6fc45e0d2acfc1ba71fc102c3428e16b1fb508f84925bf3

SHA512
e84a784907eb83b2c41424ced24f42006a2e96f9638454fc8d59b6b1ecbaa0f18b2724f9c3a91a2eb638c85ac839726104d96429737d2753df2ef64f3bdf7a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
dfc6ed0881587be8dcbacf6f514f1ceb

SHA1
cc563f3492fb044ab0dbd9f647b900087a6ab3d1

SHA256
2fbdf8cb652227612012d45b5d7c4170d052ce8e5c644493330540c8aac361c3

SHA512
6def49215d6bb071c6beb271f3bd2b94f46a8caeb4264ed900ec41beca9377008f1a21d31c63370874b4bdd60e3d306abcab0e90bf8f07cf31f0c970752fd651

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ca8bea25732f596fb109947309b92cdc

SHA1
0cd3b2eaf8e72fee932b8ab9d5cf0a33f2b7f158

SHA256
393a3a1b1ca67b60cc9e50721d2b89ad92c2a0c31ab1da1d6795d8c879089da7

SHA512
eea8221662cf3bec3945379dce37b7a2980b04cac1735cbd742a421f54ecc154cc38390a133685df875cb8e5d7f7b39992b015185cefe85f40eb10b3a73fa753

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
027016f85b3dafe8c54418c3a7b8fe7c

SHA1
c5d4aa0de6586502eb7d2ed5dd9b35a6950a4e19

SHA256
047744be667508c63073c41e5504958fdd22ce6582c7a0989409e2a046ee8401

SHA512
813a12e401707412c8931e77950fb24fa353b7574cdd6208402b3fb40f473e3b45d796486aed14b4a4110a1bd01cb49b06421f80b3d88cd0355b5ef0c691189d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
1f894a1ee9c1d42f302b68a551386a67

SHA1
ce179f82c11948bbd0950c2f5e635527eeee1b25

SHA256
b44b111e64d1ef9f30a6ff5212f765cb260190b274963eb42475b8bf63091418

SHA512
7d2f1c64d367ba13aa953049f118417f160f8a86851e0e550aa9dcea95da709b9145ee6ff24d4fff1113c6920f15151f40d16cdb4523a3a7c9d4037a42e4474e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
68e5507b8b83be562baba6dd65f64e3c

SHA1
43eb96b8e4a1d9262bcdb1f5350007151418dd42

SHA256
c1b16e240cd2a9b0723e1b88be4abe69f400dfe52d51d34529e11707cc8aa24c

SHA512
ab3e75426ffb8baab25d3a659c376e3bd403c3a65b90320e827b65c4452aa25d82ee19e27ebcab316d6da7c4d0191e3bce64ee2c21269f9bd9079a019e90e534

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f70dc8d4a9fd7253c9a13a858d134b53

SHA1
84d01dda4d6d91078262e8b2b4d6f29878166999

SHA256
f49a44fc21aa3bad91b01b82ca0d2f17654ebd86bd5f61a90b4e572983d7d8b7

SHA512
11d407eff2c19bf4ae0db9403be88414b5892979ef02ff9e9d1bf71c21bbc17e03c143ed72a117986af5e2e4869376d9aa7eca8b2ffdce5778d7d0c2d940beb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
31f3782143f705893bfa4d3664b85ee0

SHA1
59353ae18063a02fc4ea162034f09d58b66c6cdf

SHA256
2a7d2b38630136a718b4dc43823e31679036fecff1d1790df92f3b9dd5b50cf6

SHA512
d921d0ab141109699742739e2dc00248f96121227045dc8a3761f15491ba896a140a66b893ac8fa7845c90f76a1c7ee64e29797795b0d011a33d45fd60b76392

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
7a319bdad6e2561d9263156072f305d5

SHA1
4966877e28290ff622623ae87772e05f4253984c

SHA256
c50f8e0decc39d0d574acf88592dbcf2a24492416022f58825e6ded8ed8c8ca8

SHA512
da63be1da8095564940d07dc26471bccaff4867680a1f6d85134bea4489e7e5b9a120327cfc51ec1178360d8c1aee1d54b01a0b9431fd635463c26a0132803fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
63fccc0d046820b6c56c2439ff2a071a

SHA1
ed225e42af4182e7b8a1e44f96014b257e3e220e

SHA256
4d7686d78b68fd92379e3eb334c00b971678cc419234adf148a7ceab0908365a

SHA512
65b665a5795bf7fa4d5681a1f5960b58176f047a5df608fe1609782a2911b61f4bb135306b23c7dbb5930efcc1979d27137c68579a4d665d9cf5c62caf77ab4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
9490660dda8a332fe9a5ba8ff23a3d37

SHA1
525ad4f6741da2e83e3f6c7d2c34acd02262f120

SHA256
5483e89615b69f90954cfa8273ddc4c37151c8dff28db78a54050b7ae3e96842

SHA512
8b35a4d05d0661584344d2b76adc7e0c5142da74eedb697ba75cc864446424b30070329037967426a9ec47931b567f4d435c614bcce9c79abee6f09c804220c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2d863b235baa25091a6f466d8e374295

SHA1
44c919e14bd8ee701da14263b2f6bf70470c5c76

SHA256
ad781430ab55e0d28d86f1b98cee7d54fe4745494e5255bdfc9a1d92263318d0

SHA512
a04ff971427c15638f4b79b18bdee41e4db2fe7d6f3af6076010f3e4bbbd78eb02f97f5afced5ecf3093b6ad2aab825ddf30f80cb738d28cbf24792c04fdd07e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6ef0057fdfbf90c99754ceaffadedbcd

SHA1
724b6ab0a6ae0aaef6673ce39f02777953a7c1eb

SHA256
da9e4368b5e8a73f34e1bdb09e280352889375e3b8dd0e54d51b8381a5ad5ca4

SHA512
ee34534878755aaf88157bc0c072af4ec15b53b1a4b95f546868deb11ec542c7e03eedacf4f42f87c3170e5da54b7690c1f4fea7da30270c68e448fd8fa87f93

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
94a926525af8ee51feaada991db17ddf

SHA1
7833b99a2973d4bc946013739999a1f4c0f8a4e3

SHA256
24634b43e29965e52403ee084d5dd04761da0d4de2cd7542b9fe365ba0752110

SHA512
9d95dbc1aa4453f67e8fa8ee01e41ff5a7b689c8730ad438728b5ec4e13d0a2354aedd2ac94a9b682284addaf6945864ea1feb0d5efb7f877cbd212548e71cfb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ea18693fa608708f3ef4e1cb11148a88

SHA1
99de45b0ffbad54facf6c9cb184c1f29799371c0

SHA256
fe2781c2cbeb524d89885a28f21faf7fb291c2122d78c69d049d89fd812da745

SHA512
f4a5854f0a7854e093b44808fd7a4f92061a3f87c29eb4e340f8d60414f814ccef4cc59c510b7c87751d5c50b3c1e02f2decfa776d88a714d0f6fff422c57b24

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3ec0a3e83cefc3ab3f2404cea683ec93

SHA1
e8cd55e7f628d8c9c0b6f0df39529c8b57ae008b

SHA256
53a470891b8b3e01b1cf1d90e9963c52f98019c0e2eeb7fa909b4f5b31863cd3

SHA512
b820cf8853dc95007d21e6c4b148a6b542594faa93eebd0ff4f5f32e79bc78a59b91475213f58cb2d3d59049401eff10bd5f84b67ed41b2066c66c38f48b30f8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c734de0de71d2580a830ced786b24e00

SHA1
60bdc3b71727b79a982c70a4e16c79c667524734

SHA256
ff73f86cedfa1e439efade42a64cf8e8f5d41d3f6629247ff731028c66161707

SHA512
e4278f2244432e40cafac1fd1f9f6a3dfa92ea4c4b3404dabad5021fa3c3e71d55b245fc01b24f1b799aabf37273db26a5ac686de991b64b4f0b255c07dac1ef

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b5060dc2df7ed74933e17035f2e7343a

SHA1
120b3be65ec4081ee0e2a6b6bb1fc047d370abe1

SHA256
ffc862ba7218ddc554c8f07ac5bfa7bc241f668d4971348d19311a52e1600127

SHA512
821fb8f5b9a1485a9b6cb8b1d3840f736a8ae8146d24bc819fde5e47684bbb96ad5b867c205259cc3f417d1ae9f8a8434c66d730ff49ba530b156485dc2a0547

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9f5a074789a08224c3a385067e9bb625

SHA1
a069d8b61e66647436fb1031793b8dd3a8344ffb

SHA256
c6217a8e1db0bde562e8b8f584b7ec5e11020fbb7d504215426be5d39d737d4b

SHA512
6e5c0ef712bdf0b91585fd65cd327e128c1d220b040116e0c1c988e0920960ced0c850d767dd5b5479278fb9fb5911ef4328c284a7f1a6f2c684c7c6fdade557

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9c0476755723aed42765612f9dfeaf04

SHA1
77a91a1eedb34454b3ba11514ccd29f3ddc3528e

SHA256
4ea7593b6f72586ed853e33b6525ede04174818b3f68bf4c49def3562adbc9a8

SHA512
8789afa0fd406974b10a5afe0a825fa03545b46e08d3e208b0d81dc49ee5443c0c7fe0913635c1021471772b561152a760dbbe9976b640f8c7fe0b36270b7e8e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
20a6d6621bfcc2a0310ac9c62e6a331e

SHA1
8489dc647f8cbd8815c658db2a6d6eab7b402a17

SHA256
1adfa7aa50670cb518c425fd1dcdbb5869ff8afe0c6ba506e0362bd33f8c411e

SHA512
eafc59d94609e045dc1a019c31b7946a073b8f6586b187e2227170281459a0b7ea04be270a19921294d224e8c379596bcba54ddd57bcb3945ddf8978d4c8a363

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
906b0e62be04068158db64c783d09f86

SHA1
955086e29b7e92c092587aaa69badc8bef485ee9

SHA256
17c2b21bec42c564e4a82ccaa9ab855d30e7ebc5868e7d4532f169ca3e7367d8

SHA512
5f12041fe7a23e7a88f401352873cc09a9359ba1925bdb9a0ae6a67c5b406519c2b32fb190017ddd7313fa7f2e49f07bbac050c3351f57f423d8dbcdaae30406

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b2b361bdf4b9ffa9f33254198c66dcf8

SHA1
acb1323f7d1917c6f83f06a8d9433edb32d02707

SHA256
705bda32184d955182f69f87af2496fbb1933e791fab637105f3b4099b0ab19e

SHA512
dcca95fc765f54eaa6f61f54334470ba743a4596956a02f14bca438bb1c6a5e4fe553deea2ca0b965ba394b014a6a9c3fec4fb96127ef4ae7996c265bf30e297

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
68bba49ca227f1b21fc77bc235e833a2

SHA1
cacfc812d1d3ea542df0e01a1a9bed7153914a57

SHA256
435649d11edd421f489348627b74b9120da4c3329b6b61791b8e1082506fe5fc

SHA512
0fc936fee63511a784ca952ed9232e3e16dc5ab5a7676a5ddcf9680dd962a0ff9a15bb08eab449a99df2eab7f2aa7400451e907b56f62782741dfc84c2ae255b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f65c55985b5cc3b3d050dd74fb746d2c

SHA1
6e1a4124ed8b7c43d4fe1d5d26f2a647c80f20dc

SHA256
4772c3ad04e98abfe9ba979c9b57ea8fd7a0998ad6ec00593d8480a3c4bb2e3d

SHA512
3d5c4b0229ca4e27856eea7ef2faeaacb48d280732747e5bcd345ab879c37e79100c5fdd9478f3120c61eda6b214cae470f5ebbf22a26a12e57ef8a311745c36

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9043c6ad49787c1c7b13854fb4bdf946

SHA1
fd50f9458965a3ca9d1c145b56be5601ddbb18c3

SHA256
da23087fb7b3d59249214d90a1fd1ed623b02ac8d6fd59b3633ebe37c4abad41

SHA512
37c86dc396df156f43ee90f600dda62a4815ea4c79fd89d0b7f154c2f5114890e8f5ad4ed576fe78d034364d31a9bb2cd3df71e5f5a4820d32fa422845f8e925

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
917b01b04df5685328abd9c7c2700855

SHA1
5dfb69b795538b59ea3e35448ff5298c570e42f1

SHA256
03d3f77a3464ae091c9223466140c0e915fd828ee48253af09f90e1f2019046e

SHA512
1090beca4467eec75953f3c3a067f4369629858bd297c0b3d18a81a8749c4fad024431965900bb616fc093407b9fdea74675090370fb3e5335dfbad8cd6d4d9c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d57c3c350f232a6260f48e9ffb47516f

SHA1
1108144a6d113ebde065114f72fc145cc9fab907

SHA256
f4ee435d80f146baa08ffbcc33ac7c8d841e3e487ca9515fc82287ef3fc9da48

SHA512
88197e6f98d3844cf38165e243fd3f82e4622e8660ca3e9d0eabfb72ed226f2abd19b55b3771d345c199e1b75f656abcb5adc7c32a5729142334a3fc911a7160

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
67d737c4c732dc9649b641e824797331

SHA1
dad4374e1b76ddefbb60173b1f6de24ca9adf875

SHA256
627ec6494aa3f7fbda4e3964b86405164ad1bcfe9bb15d09e21c82bc3b6afa24

SHA512
15d84af9a9c8dae18c953169c3ae063a52aebea6d815a6c34d2141ce93c97549b07d810b50657ac9942e54d01054e7c9ca59bf8fddd38b394fe6b300e1b1ca50

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d1ae0ab55b793654029d0c4d21b25895

SHA1
6279c18bb42d09e43c2bd9f8b1f556e7d49ba601

SHA256
92a127a5e4749e1dc57ca683ddec4efd47bfc11bc58ae50ae4feb4ca5b2906fe

SHA512
626ec1d7aee96bf45c82b9aaf8bfedb8ab61f963c401f97d6a8e90bef1a71eef8e017f52e4355eb14dc103ead5bbd5a2a654f3461b3f167ca14ffb7e53192acc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
431873bf79da97d4562d0314d0e6da15

SHA1
5b07774632ee8e1c529d75e1e2495961132d3fdb

SHA256
838b9f481eae08c39abb6b4d58c226c30a958c745985f85cca9385ac0572448f

SHA512
a2e85f1a36f81bf26160d2c0668bd5e2a251fc056e3c1202a96867357057cde3de1b11a463c61f978bde523f6808e793ec1393724a22a575362c299e8b4ea3ee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
63ebc4c550efba93badb4996d0a47294

SHA1
beef64cc8e74f95643179c33ab4873e79dc3e3c8

SHA256
157a6b08db695380db13ac15ec3279fbb36a015d8359446125903365b6c96b9a

SHA512
0da923c32233e2a0ba014ffdaac6e99f6cdc11b059b8a3166a61d7e2f809bcb8b606f0d629f3ba00d2fd05d598afe6c23367312cd22096001f490b56d173d09f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f788b2be12fd4185499e0eba62e981a5

SHA1
cc938aa2920a128aefe5c4eb3ef483fc6f40c020

SHA256
a794b4e7de8637dc4da89b83f5b7308afda825904c3e44f621600d22ee267d69

SHA512
eccaa74dde3276adf5c6e67e8d57f9235b1c88583abbeace545a15435b2798205e5fda17d34e669580fa0c650b0565c7615e72d03db48e5a118a04f1ee89075f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7d8247e9decd2d6f061754aa27e6d021

SHA1
252c63e9f82da8e4da549187357d2c9c9ea2dd43

SHA256
4100ee49c0a90b773c2cf8697d2cc430f704c978002bcd9b9c9e2cd8e23aefbe

SHA512
996c869a4c9c8c1cb977099300df3877e09eda0d765aeef39329beea1c326d20c9d3704fa67fe98ecae10ddfb232fa7267b3eb4b7981598a41e4f83b16436ed6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
52a408a3f4bb88454db2fa1c38ae7784

SHA1
288e7209cfa9f96ad8801a5d4f4c8775a9f863fc

SHA256
0f93ad49be9f5530cabb6201a23c360c499e234ba4209ba61125a130cd42f8ce

SHA512
b380caac2e15efcd45ab69298f3d89333a62a23eb77918e04258e7c5f0bb018521794af1cddab2c129e89479a8ce8a5501f031b9a64550003ca76060968feab3

Download Submit
memory/928-310-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1416-605-0x0000000140000000-0x00000001402EF000-memory.dmp

Filesize
2.9MB

Download
memory/1416-604-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1416-8-0x0000000140000000-0x00000001402EF000-memory.dmp

Filesize
2.9MB

Download
memory/1416-84-0x0000000140000000-0x00000001402EF000-memory.dmp

Filesize
2.9MB

Download
memory/1416-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1416-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1920-305-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1968-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2272-48-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2272-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2272-45-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2272-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2976-300-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3020-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-648-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3020-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3040-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-59-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3040-53-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3040-647-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3332-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3332-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3332-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3332-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3332-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3780-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3780-599-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3840-102-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3840-91-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3952-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3952-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3952-484-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3952-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4344-264-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4344-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4344-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4344-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4392-265-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4420-304-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4452-309-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4612-313-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4788-315-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4788-653-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-103-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4800-651-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4908-314-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4908-652-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5000-311-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5012-301-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5024-312-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download