8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
Size

648KB
MD5

a624266c17519a38f360aba25684837c
SHA1

39bf92846abd6b1a3bd6aaff038c58008020b5af
SHA256

8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f
SHA512

fd36c331b00bf8d76743545a93a97ae385f9f1b62db2888c4a8dcf2f3b4d4122b4dbbb5a1049e8ac84028fe958bc63adf6d3852e8bd12182d259a193bfcdb8b5
SSDEEP

12288:kqz2DWURqZiMwQJXx6a/YvRcFKBsX9Da2XbJda3Q93i8OPowY79pk/DCWN:9z2DW/ZiUJXca/VQBIe2dhi8OP3YGv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
412	alg.exe
4320	DiagnosticsHub.StandardCollector.Service.exe
3668	fxssvc.exe
2188	elevation_service.exe
3624	elevation_service.exe
1676	maintenanceservice.exe
4472	msdtc.exe
4388	OSE.EXE
3284	PerceptionSimulationService.exe
2388	perfhost.exe
2136	locator.exe
1216	SensorDataService.exe
3864	snmptrap.exe
3752	spectrum.exe
1072	ssh-agent.exe
3832	TieringEngineService.exe
2272	AgentService.exe
744	vds.exe
860	vssvc.exe
2520	wbengine.exe
2740	WmiApSrv.exe
3216	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3e6b0cb5b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\System32\vds.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062d6e6c5a8c2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caa54dc3a8c2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1b77fc3a8c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4f35bc3a8c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000867600c4a8c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e2c95c3a8c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a12611c4a8c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4320	DiagnosticsHub.StandardCollector.Service.exe
4320	DiagnosticsHub.StandardCollector.Service.exe
4320	DiagnosticsHub.StandardCollector.Service.exe
4320	DiagnosticsHub.StandardCollector.Service.exe
4320	DiagnosticsHub.StandardCollector.Service.exe
4320	DiagnosticsHub.StandardCollector.Service.exe
4320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3616	8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
Token: SeAuditPrivilege	3668	fxssvc.exe
Token: SeRestorePrivilege	3832	TieringEngineService.exe
Token: SeManageVolumePrivilege	3832	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2272	AgentService.exe
Token: SeBackupPrivilege	860	vssvc.exe
Token: SeRestorePrivilege	860	vssvc.exe
Token: SeAuditPrivilege	860	vssvc.exe
Token: SeBackupPrivilege	2520	wbengine.exe
Token: SeRestorePrivilege	2520	wbengine.exe
Token: SeSecurityPrivilege	2520	wbengine.exe
Token: 33	3216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3216	SearchIndexer.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	4320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 3764	3216	SearchIndexer.exe	111
PID 3216 wrote to memory of 3764	3216	SearchIndexer.exe	111
PID 3216 wrote to memory of 436	3216	SearchIndexer.exe	112
PID 3216 wrote to memory of 436	3216	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
"C:\Users\Admin\AppData\Local\Temp\8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1216

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:264

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3764
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
30696c3ec99390ff8b2c92debf718eda

SHA1
dea392e398de8846c7e7a94d6cd470793cfb75a8

SHA256
e72a4e1b9a5265448c2437f3aa73f9872d294c798fdb1e144f52a5d6fd7caa39

SHA512
48117a7bfc0e3b0726af6e55ff982b8fa76c954efcd9a05bdc11cb3f1f917a11d292cfb2dfd70bdad8c2187085a1d73329de0c1d9e5260c476e765631bbddd76

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6c4fd56c08945120c7d0d3631b87fb79

SHA1
5dc7de0c6d861705a01c1793e7b1d41850d17071

SHA256
c08b4afbc79369e0a9e028a85ae7cd073f7cbe1911a24a4de46ce71f33db5193

SHA512
025314e5342d211c194a0fcec1078bc1c2fce932896d4b88b24a4aa7110aab954626c6ca96bc692770074f7cc3c2d392d69cd41b42fd51f3cb76631542ac5e9c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0db8c70c968d3b75b3edf64886d00b8f

SHA1
d92b1f921b08f968bf264af25cda7e72a2f86972

SHA256
948e2bda6f95bc301be3b2ee8a1557bd984c589d866c220f08de961108e894ab

SHA512
dc2bd09f8fe6d8cf977f9921e804343432a6907a3010794e221ed4a6afb0f40dd96ada957c22ca24082b68d7633501ecfb1857aee63bbe2d95c4927535f284eb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0afebc18b54bbbaaf26d4d4454e52632

SHA1
6abfb399452f027236e9453a2a248220f4d47cde

SHA256
0c9034a269740dc319b014a9d31e24b9ac0212de7cd0eb58a3d64a7e369186e9

SHA512
34103961b24c10fa8e35b3b9d3ee6420c5348576ae359a63edb05e2c15daf73ee44aa51a9b50ee136cb5a42399391fef0855b9e3c845ef0f1d35279a1ed5a5de

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d992e70190d6dd394797af0f60b8bb84

SHA1
2b83baaed46aef5fb9b826803cb0c9d04e788b50

SHA256
d549b1b1a21756d110f790d63bf35dcade5d30b6498f5139d4241f33171a46f4

SHA512
6c9329ce5357d7365e809a6690692e479b6540c7b20d7c7ecd421e6587e84c3383afc9383fa4a023cf0b3e38d1701e1663718cc5826f1455464cb863acc17773

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
09d3dc1cb34c369471ced2216a21e1a9

SHA1
bfcc398ee62bcad3e8e3bebcb831f9a92abdebc3

SHA256
850b92653e1f5afa38ee464c7b796ee51f515c03dda3add19ce8d9532a0f52f1

SHA512
ca504ca95da1f23249f148cc8316c6c182e93d1e9073d786648e34670cf000fe04e54e09807f5e63e76d57d80fb2ae8210d5c69b679e04dde88856dede040bbf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8e2f2db0da800812606205e7dd81d772

SHA1
8c386c41b9c9ac6b32a75e41b7c7bb459fb8fb9d

SHA256
dbf4b9e5d411fce7ca8aa4c2f54fb726075e337a22ab3ed94320cfbb52b0a8d2

SHA512
5819395abbb46f3cb72ce20c9ebe8d154ceb1934f3eda9c3dbbd6b3fa028545fb857dda3185e4623d0aec45e4461e932b1fd7b9ea4c1c0e0b1b5ec87d6abfa30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7241f011612b67cee2a250a2793f1139

SHA1
55deb35ed5a702f22e03c7f2da8ac77eff78d1dc

SHA256
bad34bb9ab6ba0e3a15d11dd80e0b0c761e1d2ac1db31ca4871d818a75809edb

SHA512
6b9f8f0f2cc3a1fd735d04bf7221084ac67adea920ba9ba524fbd469437f5a12c75aec50e6ad1dc7f528fc5cba2436e108ae08e1eaaa7ef4509f39d181f7f997

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
10d7d4ef38def0f668ea464bcddaebdf

SHA1
3b446fbeeebf710f9d09ec99abaab6a418658a95

SHA256
36489a427c2fe79ff0a48e38be8f68f60732855d2ec2430692e5def87349a7e6

SHA512
008502830b491a0412def20d7f257d47dd5f3caa397815fc95756e53d4afbf5158651766302ed634e5003f8263a77a390aacbbd5fafbfd647bef7bd642e69cf4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4cecf47f01fdd9aa52b5d1b05e15eaba

SHA1
e6a053351f02003287af199a39d9b243f33ffd23

SHA256
c9bf9f451ab5e48331bc0bf6df3c4a748cadcf7ba4ab61a47fceb33f0778eb2a

SHA512
32dd6fb4a40b19825aea55195010a7ec39be733aa4968f40d7e71fbcdc129d6a030a7111e266cc686bde3b8f3031b82a68a79d0560973744e0dd5d93fe27ae8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
51e82ebbcbe1e0dc1032f48614be234e

SHA1
fd232ea4bf4e6b941ea3928d2f5408807df2cf93

SHA256
c664d785c4815f4722bce0cde1f5ad7fe1fcbc6a9da70e1b78289a552e4dd2fe

SHA512
c2040c725f071742cde28798867cad213ec8e3f15d57042ad2924a29f0a399c05d1d017a02c9d50bf5699b675f39541bac3fa8db5036b6a10eb54faec193a4e7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ecd641781cff17b0f849cde613383c74

SHA1
f10656aacae4cb7458fbb5aa2ea34a7c295fb86a

SHA256
6da003e818f2cf16eb60adc10d7f6eac28de017ed147592588991c3f1dfb83db

SHA512
4dfce9396615f68cc88a6cd427cb052ba34b2f6b0ce58a8e131cc8739fe6c2a5383f4acc5e7f48874bc9ee3365f0a9e1e5cd24860d17a1143321ab2eb737a4e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
831d82c4ec7ee0813c985175759fb09e

SHA1
e0058f671ff761928456a10522c6dce3c4642e0b

SHA256
eb997da8a9057bc817a390592d4f93638e500d3bf6c99bac515f49ff3574d8de

SHA512
79e122dc886661250c2f2a3e4bcdb55bc542434b07137c590de27b5a82d990444c0ce9967bc00d1ee35dc76a9c8c1014dac553ef53d9292ee0fabbc10f365bae

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9177156b8110cd7f20e73330be1bac11

SHA1
1a78db3d1451aca3adcf0aaa200214242cc5189d

SHA256
bd8aa5996b1b7886056340b43616d59acf35680907562c6469d96baed5cdf1c4

SHA512
f81b1353333f45db095da5a5a9bff5f905efb4b5ecd296227fd33c976d3139f2d5b8f349dea4ac198568c92f3e5663abafbc91d3ebd97e6246e7914cc15a048c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0d9c10aba52ed15b49524798c28dba99

SHA1
9b12948adc21d4c1e35bd999b7630a657d21ea3b

SHA256
515569f7b3ddd5f92715bed4ac658ccf712a2587bd76635fcd1a25f2bdbc7a3a

SHA512
adb965d8e75b78260f8c966161414179ce918ebddc29d70f56a7a5ef819f5ceab9c7f3add078c7f5e9a18a929ed8c1ba5f336849791cb7ee6c0981666fec06de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5a065053cfc586d73a540162faad4eb0

SHA1
1b3f6ec06d8f3d0d99e5a8bd811e464327e471ef

SHA256
92734a8bec172308fb846000d544317ff5cf281333d15a3905697ea52a3ab6df

SHA512
571e19f055a07c7862f4ba5cc58cd8526fe26f3be20054dcd0c3bc0db903e25e68058075ae63ffefc7cafc67cd4873d45cf7f6447f98e9e89a4f6341a44ca1ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
424fb7db1159ff56f724c094974b1097

SHA1
852e1686703ae947781c6b70175c3bc10fa24d62

SHA256
8c9d482dbe398a540a4f254368b9a45832285dade7f562aecc1417f4c2bb1268

SHA512
a1a731903671e344f43601296592478b91f6b421593685f36e3bee563d54680ba82e799617ebbfa3d5e30af95cb2d205b994ebc700d8eff7598759487666752c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3086cf64e2af10ddbb8bb5a1ddc7977e

SHA1
bc3a08039752980af18f5d52eb5d1394c2fb4e7e

SHA256
6a38126ef1660fd23718bda921487171aa58a30ff3356baec0be8518b3653fea

SHA512
94aaf38b74faaf8cd1b99d66d674b0247564e8870c2243106df344911e764c92651fc3cbe1b687050afdac5f4cbbf68ef4da00a3f4b80fd5db8e3538916c6fd6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0d275f3c44e70fa2a607e7a598ff41e3

SHA1
b1d838ba47b2ae1b9141aed1ddbea7771b3f9324

SHA256
fa1b6fa7f6ef8133baa399cf91da7456fd522f37e563bafef6f6c204bdbd8537

SHA512
24c721a41c7996883da789f8f32c562e474e504fba3e7880708ce2f0c3750bbcca0d85be498864f6cba76be8c751eb5336cbcacc50a662e220cfafeede1fb6c0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5a08befbceaef55a586ef03734ebf117

SHA1
4af4d23a3359619a8ad9135cc27db629b7a3d28e

SHA256
18c9bcddde3ad8ac25333b5d56cfc6a29d4c17c55afa47df4279b5d672160adb

SHA512
aee2cae6d903e20bbd90c4a47b7ba7c5448f084965b3379e424aae959fe92278d213a40e07b5ef47f55998502f8151650583480242c0b74b740ff6bd43969934

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
833bc62716b69f2f3802b168e1cc7da2

SHA1
8913980312ab080d436f05f10c404656b18655e1

SHA256
712d1c4ffd5850a9287c3a9c2c7ab13102d3952006565fc84c56c05d74d78ace

SHA512
69c5aae35fa1233e3cc09de21ddb811ee5693a31a3a840ca2e88d7b4a28deb64413c039a85223a91353057fcccd13ba94bceff97d5e4837c78cd409e853cf90f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6e0aa60c564c2d37f361dfbc21a2fd8d

SHA1
e6b6b3718668b946ca6534ded5f193780c54e367

SHA256
96aa849f422495cfea04862d8c3d700739fdb90d78c1e19e8d18351adc9d28fe

SHA512
595678c031aa1ddd7a1810e5bb1dc8fe53837b1a4572284b3d991778dafa6d1d93cfee739d6a841adeb0494bab770acf63da488bb003a979041af83e22a8f61b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f1fcad6296218379ebadd3e0473365ec

SHA1
ef1e1d9ef1a11d82f8e9bc4da4d9eb49ea6eb53a

SHA256
22fed0684b7cd7702d9df92b2a5363ba06e3d51823da8dc4273289531ad88124

SHA512
034918c59644efa461bf98bfd382f45b24d93d073d005192bf104706ef64febb5bd09531e09332b3e3aa713e72f5d0d0233dfbc62df519285b463bb43c883a6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
997ccd7a27e7432190043174071ff6b4

SHA1
6ffac4da01f83310c6fd001d17f1a3f36a0cd070

SHA256
caed46614c8a184edf74255c30c4f6f792db187a273d4be209d1809ebc2d83df

SHA512
f5a24037309ab6c0eb7beb6a7697f42990e6a1ee75e26e92d0b35a5c7551506569c9e618dbba01423086f547895ff921b00047b2b98232d50218d075a4fd39f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2908c493a5c691bddcf1d6314b03e208

SHA1
d004662352139975f5ec41608da1b585d785072d

SHA256
f12b5501e209934e3e5382dc7de3c2ab9db13c7f922efede4934dbc57c6c3287

SHA512
92a11a55c64d6197d3cd07d1896a8d7346c8751ff63ebc582b4a5efa2f0fe9786ff129e3c8e592e8e61d149058321f9b66fc4b656f45dcd7d7a6e4966755488e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
75b33d69dd2f15d5c15c1c1c726f0abd

SHA1
bbe7da2991b6066342746caad74d5722806f522a

SHA256
c325bcdd0bfebbbcf6243c96b4b860fdac5cf1d992191e958d81de4981fb0f9d

SHA512
18d665f2baf95a332905287294b4b5f12c08e675ae3ca3586edcc872837bf90d528313669f6f0b336fe3f2c866babf8bd099bb2637510b12ed3b8450e5d65b9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fdd476586943724002b096949dc2a01b

SHA1
f325dc8ec421ededc39d2270b100407bd9f7e591

SHA256
0361d9d6186145d19781369aaaffa3d0912094d2af12d979e471f829eb0f7ba1

SHA512
6b29d27d09d8116cb7699f98c44f4784feb524f5d4c605123c0952869c9a38c06d8a38e6805bcea0da11a91a5cb9b050e273fac6d1d0badc35868a72d19d038a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d38bf09a203ca9a0ef5ed3e060348d30

SHA1
48712ea7a89495c1d944e50f14bbe86ab63f4138

SHA256
165da39bbdc67d558b574d1164bc2f3f79d37d968005c9849e7a2d2f42217fac

SHA512
622a2249a698a1bb9eccb6a67a589414237bb31b4415e782506367bba0d4808a00470d68176d307f1662a32db37a5754c97583aa4689a8f739b166a0803565bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1926dc02f4291abf23f9f510fcbda0d8

SHA1
5dd8682d3774488f7359837dfde9e20c0e3de168

SHA256
043e860302f77debddb56381f44c8a59e1ef906144d9c6197670cb819b52b616

SHA512
e71dce2a7e2949e51a11ca1cd22b592b4e40d01f2c7c3bf5c8fdaf1a57b73811fc60ca46d8431c3b3e387be482162dd4fe9b1941cca28b77804ee1d8e25d0133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e0f89b87537ba1e8c21c9f4111904ee2

SHA1
d05cc337e25c14053c64d9e31481e99dc758a8fe

SHA256
150b70f7ad2fd9da0dc142639ce75e1f0e1fbf5bb16fad480ccc9d0c5548f241

SHA512
979c6eb4e3542013477f493b55740e9484b7817d286522c8d211018c8f04f9abf73fd267ff3fcff1ca4b8d6e86a1e2b5ea8ac118cfdaee43c741c5dcd5e64571

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0291f9c8f75406c958b024660015a4d2

SHA1
18f1ef4d428cc35d9b9e8974e59cb2d3d7a87889

SHA256
7ae89dfd0c05a9c36cade48ffd764da9b3e64174cd7326448b98c2a48e9a582a

SHA512
aadd42ae52542a8c6b8f04137877b95cf9e62715ed6d19c4c70c39ba03d31369ef4e50e938819a0649db0b5fe66c74eec8ed029d2565f0d83f7af1a555c216e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6325eda65f8ad7a58462bf8d41597f43

SHA1
357d2a1c685306376dc1665ce11267b9006a8729

SHA256
f1fa1b05bab95f155759f2565eca5bdcac3096698bf93558a9881a82ada1b00b

SHA512
3a248910904cc3e398988eebec743beb9ebbc2879544eecc41261e6b56eb01674a3dd4c7fdec9c57a79d9238dd3dcefab65b12032783811b31c481012702daa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8051262c04aa990fa44b63e81378a0fe

SHA1
401a77bc2220a28f19ad8b4b7d0fddf6e53187a9

SHA256
8c6c539434f78533e3dc60f361072da048503eb49e86131e7d69f13a7bf31cc5

SHA512
2b95e828950a232412d5d2c7d67e8562ef82a477a96421f757d896ce5d8e627522c9977abd1ca8cfc32e770a3e21c258a7aefe65cbb23f816c2ba0aec38293b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
da354f3532dc9059cd08d54bea31d616

SHA1
bacaea284f9d9ecc95ad4b8b0f9506095d20b2ba

SHA256
4abaf133fda8b5e820e39c6910f616fd73632b3a38ac4d0ad77f5ca6db3fbe4a

SHA512
e4ce92eb875d0e45d43ac7293dc49dfbaf23d36e738873bcbc91752e5d0c6ce3879d97387f29f6a5caa297dc066fd0756c5178d11c99a4844b1b181e219dcd0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
642018b22c274c24780e510cf9fddaa2

SHA1
64265c15981a76b71d40638c6f9c0659f5ba6634

SHA256
7ba3c9baa6412f5cfba78ce0ff058b780ac8b0a32d2cdb010c9d6acd7e0f1853

SHA512
a4d1bdd2fa053ea72912332a7ee8a8980278d70b74a5b4fd45c0e1e837e17b8655213885ac7a83519e1f7fbe9dfeb30956ab9934a60c52304c63f284ff5aee89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
161aadc0bdd78a725113e4f278875ca4

SHA1
5b213351b11291f430e788ab7b42034264dc70cb

SHA256
8aed9be5d7230c0e924a1f73e5da38a3ddbb09726f6ba14a1b8e2bcc46bab684

SHA512
75b0c7444deedda12594bffc73a920bc3a186ee4ac0258cd42c9deaf6c214032e3f1a5c34aeca7afaf16600ed70aa0415c903663f3915ddd75202bf6343713ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8b391a241f196ce0eef1301d130ab2f7

SHA1
674e67caaa7690d5cb260342cc5ff2d748705cdf

SHA256
1669375cf60a2203169a6aa4f940e5fe69d0dae5bfa2c6e3b46464d16515de3f

SHA512
8e0942fb99e0bb64cef1039810fba62d24ea8a1762614360fad8fec3e12c9b58085469f74f2b45226b250a928ef5d205af57ae6fb7a9f28536f49f45be474fb3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b704468f77ca578b00d431e9062aae7f

SHA1
0000af15cf578e306889256a2d98a331b08af78b

SHA256
d3567d592725ca7291b93555a65ca032ebf2c344624a1efeadc571a697a4a64d

SHA512
f6190582de8bae47fb94094d10429ea113e50cb724c3483f5abe0720d79cadce69fe63766017e296a7ef7fccdcb66e8ef64246cbe7b4f81567b7baca0f36b9bc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8e8bfce211f4d437e36da774b6c18cdd

SHA1
5c37d88b89a7f2eb917beec0fbdd71fd0437d2d1

SHA256
11d919ad1b4590284b5e07f5e04cbe8fd558b480fbffcabf1073d2142ccc3370

SHA512
77c9d3cfd46a8530233c5a663cbe2fe62c137c01e4d380218cc8d5a155fa5455dbc00505d25ede896219acf15d297dbededd0bb91cfb5f472627045c2c831805

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fe61b484c3de9577278998f5fd4f4c49

SHA1
8f8fc34e908e24d99456d52e79168891fab7d4c5

SHA256
f25c808472713de216a4673af2d6964366c128b083815410055f6a71a026880a

SHA512
14a30db91f31ddce1b0ca7a399cea75ed581a11384d7ab0d49c065d0f717e7e166f12ab2c338cc8cfcacbd5a5bedab0f8faf661de5165db6667fe7a45cc0ddc4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cac53c314274545605745a8409a402e0

SHA1
f2db418c4ce9e6ceab2c82f45ddbd86238ec3ab6

SHA256
026c6706c157c8122873ea83db6bb25d5548975c29044fca2a100da29daeaabc

SHA512
c6ecef0c1435a86bb9b2f12219ee859a2d7395d59f568ea166b1dd8878246f02fa9221784b802628ce9c16077cebd26c1f60fc82b4dd9e5c6a462df08042be5e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0a59c70cb11dc00b73f42842962fbd9f

SHA1
87b6f84c3212508c47dfb1e231a05ac75966345b

SHA256
5658f8f77bb0fad6e3037c8c555560521e2dc0956f7e17ffb68ba8fb60da2490

SHA512
9dcc044f96aa4bf76c44aa82e925474ab1ef6450d9baa309b852055ffd739b5a719f543e34c877b76eeadb9565185471b7d8a9cf8e6019fc911b1384319c2f59

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7fd89f716b422cae7825a9728065b10f

SHA1
7cadf904cd192355e973d0b9fa398c228b80f7e8

SHA256
646a1dfd0d505080c44faabd365b7f182fbb9aa84f0020a79e0955abcd4a4043

SHA512
9cf649f43578e33de2c153810348a354ee9b929c34ce86f2e2b8e212e465d2b6582538e00194ebb4dca970c5589d2973ba51d8c8774d169c51276945a394467c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ca7a4f754a66e5cc825d877a030a67ba

SHA1
f817dc95a274d9ea7e9087f762c2089d4b8bd2f6

SHA256
289df533fa84f8321868f08703ddc61cabc1ae3729ffce427599496d9df77674

SHA512
a0ff650f34189aa64ab679108d5b9788b411a4ded0186f39ab83fd2faf2511e72ba13ffc99f93be56f8f1ce04cc1aca69ddfaf0f6a30f7509b3c965f8548d9fe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
453c9e4fb833fb606f3a9de5ce476def

SHA1
ebb8e1f68a6c13f589f2190d71c176cdfcd54b2d

SHA256
41f06fca66cc68e4925221685f0f9b0060c70a708f47729364c669b718f11f6c

SHA512
43754bd0d00140797a8f874e6a6bb49c232c8220b18e7a2192f652277b5cde500f6d7bc24d1bd5fca93acf9f0747aee15fb922ca71a1687e404f7db929742841

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ad8af79087b37875646a7419436b6f50

SHA1
20efb7b0c5d7d280ec6324245eb935ed9d1c084e

SHA256
1b39047439e2027ecbc578b8d21e781be8fa6da4f3ab5e701fa270bd419e14f5

SHA512
adac6053b8f1d6e699afd429d8f82102743b4295217120beaa7f0cf676e950d5e4dfa5251937273519c7a830b01fe85628eaaa6966f71be88b56b0aa1167de92

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b584e11be61d88ab4ee2af1b8b073c96

SHA1
fe7d7ba83825ce5fbdf8237efeb07fb2e81ebea6

SHA256
6b10153cc6cabb8ceceaeecdf6cd81fb13d4c87baa3b6b36714c8136e43756ec

SHA512
54a23a02506924b37617c0a16ff356bf0a81cf3bd278ee4d213e9f9a8d94b7fbd5e70aeb35ee0c3ef5264d29c991284f1381a3b7e62a7536576e8e201fa46eb1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
065efac6d5d2837446de1977c8064f60

SHA1
d8311eda8851aaf65130969f1437c2513dc7934e

SHA256
1e860cb19be2376c508c6ec5cfd3cc4541eec787ab80639cda2b150abf87e333

SHA512
00634e0e2a881722b7002a4e93e847c66054ab28731cb1586ec3924c2e874e6395cd1aedfedebcf09b1c59742c9a31c5161ee927a8515c343a89c57005d106c5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c0ab7820fb01199666337347660b3827

SHA1
04b0c5d51be440e0258af340142893f2e2af04dd

SHA256
fd57acd1feebbe7cd07bd3e39e2794dfcb8df6fbc5aa17da79e378e1802e2c37

SHA512
aa3609701269eeb3629cfb614d141d198d5ece7d15903d5c1e3fdd4a8939a597a06f7515591b9403605850e78493ca48f78a431b509df350b5091c1620525ae7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
912958742f153fd69fcd207ad272934b

SHA1
42bab82189a8ad88852606163c8580252c21e3b8

SHA256
c4d5f0b843406d7d2dd1480ae6dc78967876db4597a391d16671d1a353f2a8e3

SHA512
87c45f9d0f661f0c635ad894524ba159df7b660644fc5c09dda0f9981f24e17b89a9bd80437d3dafd61309c404ae936f0a1aaf0c28ea6e6b669caa3ee90a23c5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cb7be12b322578ebc0ba34fcabc6d5cb

SHA1
a5d0ff4bfff71e7f8850f89a8c3f5d7fe804d0bb

SHA256
866220a8636b154b06f4d0fb8c10205dca3fef2b5406c812c63888f9cdf0c1a2

SHA512
e1674bc446ac64cacab67bd7256b7bd7c86d7db37998840e4a15ae938acdd956fe92e3197845fdc42d02c0a84b8ae7fd79d556331095ebc3e9d31e1086329c36

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
522c6d0cc985eb4a4b5b61b51366ab17

SHA1
fe953f8a8b34e0941182c1146bb64a4a8554c65e

SHA256
ecb1e41e6c098e09db8e37ac865fb01d44db2a4b9397bf01168641282c098625

SHA512
60ab86d5c11ef58b66eedf055c5643023fa5adf822e4faf5ca7b3fa857abd74486fa8e0cf55698cd0826b811e2fd875dae27ee5100007ab982ea814008f41bd7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
930621b5c3fd6aef7a4b0f5096983c45

SHA1
b793bc3bf0fc28d87bd2d5c2b7be298317f8cf86

SHA256
18e9ca5b4dd38337fcd13b734e440677b0a7f660e1530c7631c7547ae81dbb33

SHA512
d8c6c9820de5f2739772f581d052129e30b397e890b85aaa4924ae50f0587fde4811873ba3215757941050726091e1c7043938d64c4f88b2bd22986c83587396

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5c1c7fe1b6029cae07e0d6d178d9753d

SHA1
009a31aa93e17191721476aa0c8c03fb48dd07df

SHA256
25224eca49cca858785e466f5e1b6ab4b9209277081ba05a6aa3a564cec01473

SHA512
d03ab0884706473a86279521dada6216b8d2f25a142af1f3ac351be7b7c22a5ecb46df4273ee2eba368457d9bb75345a7fc507f4cc2598d237b9793ff3a5a598

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a1c54837aa46f2cc90b3c8a40f5cc668

SHA1
194d594433b46ccb457b78dddfb37cc9cf853970

SHA256
83f9454f0e5a7135e5d10737ec00e9c4c453b3cdf62faf9a8cfeecb1cb049f21

SHA512
2f6074ab341f5effc114629618f37e297a7007afea89bf262fac3dbae00d39355500e297193350775721839253ed05bfb341916f9f898b263d993f9c72877f7a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d9761b59df2ed1147af6fa80b4e1c7a8

SHA1
2231602eb9732764cc6eafbfdb6e1c29bedae9d3

SHA256
475131e4cfb342e3a1749889909def448a2f0a391a0d703f9681a3474603b751

SHA512
907c4ea5fc1bdd9b9ac80f442d4e0495d4bfc57805f79cac831615e7226e3e40954e5d38d9a70beb1735db56078b959e496f9fbf136b7e5b1cf4c2bd1ad9f62a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b213232db0dc45b65bf0b9a57cb9fe69

SHA1
7f68bc029e61c347e95b4d60d9e512ef6df6825e

SHA256
2eb684309c03953644add68e7ba435ddb061062b62708e8257ab30ce1ccd0d97

SHA512
a0c554ecacbfb4bfa23aee14939ba39d71c0311156b765e95b1b9acc1d0ce903e399552e941810508c5063189ea163c1906019712fbbab76ad0fc0f6b9c50a1f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b6daffa4773934ff80ca01c109a8f979

SHA1
9fb412ccc9905138900daff57786220be4175f54

SHA256
a5160a5d7e400a67661eeada405d55461bdc21dff53c26e3f8926bf31c224f5a

SHA512
2192fb4da68400fbf51a5140990d105c59a6b2f8c56e75ab88f47a205b962fe9a413eee6c73c5db5c8dd5f8600f418ed64cc96c12462098be4d463cf0a2c9638

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d2abfdc3d92a3f7b5c3826538d354606

SHA1
c802caaff3d81f9c87113b0e5c7ba9dc9745bbd1

SHA256
6693d32729606318a4c0d643a5f7945ea109db9c1a79cebad088750f1f840c15

SHA512
7f52ca5cb64aebe9e351bd30521949d35f743590c7de61db4d00ae72d08a58b8f3203edbe3432e364a5b339918fb9c76b81852347c7e706c5d7e930eb91e190f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
824ec7a980fd370912eaa8ebe15e5056

SHA1
e34074839e7a695568fbaf7ded818a8b9971e5a4

SHA256
b54208850b5b9a9f573248081b0fa6ecc36e1e737c4efb0024a93f13aece770d

SHA512
68bfb2593f654b5b415357c9f33f924a5f5d73f1cb7725ad8e671a5184fb0d149e316cd8aa3bea7d7b53da42c64a6423cfc5c62593e6fef3b0219639d5e8cbaa

Download Submit
memory/412-203-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/412-19-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/412-13-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/412-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/744-277-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/860-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1072-204-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1216-178-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1216-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1676-77-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1676-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1676-83-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1676-87-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1676-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2136-177-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2188-566-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2188-49-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2188-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2188-55-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2272-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2272-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2388-176-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2520-280-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2740-281-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2740-573-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3216-574-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3216-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3284-175-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3616-472-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3616-75-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3616-0-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3616-6-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3616-7-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3616-8-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3616-473-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3624-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3624-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3624-567-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3624-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3668-72-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3668-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3668-46-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3668-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3668-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3752-571-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3752-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3832-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3832-572-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3864-179-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4320-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4320-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4320-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4320-215-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4388-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4472-92-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4472-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4472-568-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download