92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
Size

664KB
MD5

d21c88798c0efedc2737551603d8b46f
SHA1

d8591ff2f457aadd45fcb728a1ad94f70b45c554
SHA256

92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e
SHA512

ce3db0fe1d6f4fe38a692d538085f6d5ff8a21f5fd0c2057f14d189909f25e002bc164f3518942f9777b991a7a72f253b2d7f7051b4a9b859afaf0898197b5eb
SSDEEP

12288:KuKU5VFWwHiC4mxYr8PCAwQy3KVMsMWsYNv+0kHe/6eZ0hW4:KnwH/BYcCAwQEKesf/NmLeiTd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1976	alg.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
3884	fxssvc.exe
3064	elevation_service.exe
3964	elevation_service.exe
4308	maintenanceservice.exe
624	msdtc.exe
872	OSE.EXE
2268	PerceptionSimulationService.exe
1624	perfhost.exe
4936	locator.exe
3664	SensorDataService.exe
4552	snmptrap.exe
1528	spectrum.exe
1916	ssh-agent.exe
1568	TieringEngineService.exe
1488	AgentService.exe
3336	vds.exe
228	vssvc.exe
2616	wbengine.exe
2256	WmiApSrv.exe
1560	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\vssvc.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a2087f98293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\System32\vds.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\msiexec.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\spectrum.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\AgentService.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\wbengine.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007854e2f4a9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dcdb9f4a9c2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e38c1bf5a9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000864491f4a9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdb322f5a9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003eb341f5a9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a40eef4a9c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
3064	elevation_service.exe
3064	elevation_service.exe
3064	elevation_service.exe
3064	elevation_service.exe
3064	elevation_service.exe
3064	elevation_service.exe
3064	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2644	92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
Token: SeAuditPrivilege	3884	fxssvc.exe
Token: SeRestorePrivilege	1568	TieringEngineService.exe
Token: SeManageVolumePrivilege	1568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1488	AgentService.exe
Token: SeBackupPrivilege	228	vssvc.exe
Token: SeRestorePrivilege	228	vssvc.exe
Token: SeAuditPrivilege	228	vssvc.exe
Token: 33	1560	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1560	SearchIndexer.exe
Token: SeDebugPrivilege	2712	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3064	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4692	1560	SearchIndexer.exe	111
PID 1560 wrote to memory of 4692	1560	SearchIndexer.exe	111
PID 1560 wrote to memory of 1748	1560	SearchIndexer.exe	112
PID 1560 wrote to memory of 1748	1560	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe
"C:\Users\Admin\AppData\Local\Temp\92b2c9fe2a22d216946367b84c91212ea9a9712aa19aa0b8620186b3900f2c0e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1100

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4308

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:624

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4692
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8fa398c6366b4c09ab571ffbb7999636

SHA1
c5355d7cfd3bc371960fd91a0a498a77a93ca796

SHA256
571f48097e1ae704151ed5e24971d3c78af78cd1db9c876f07d2aa3c8b41485e

SHA512
f1e079bd53cc15e218b0cb99a45796aa08f1a8a46daa716a3f98c196f93d47dad48e6a13b2d84e8361ecf94d115593693c9c69da09146c307ab12663e14f4f8f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b11c6a232e6f29e4c6da9e3b2e27f2cf

SHA1
9bd2f9c9ea22560da1272eaeb30ee0cf221f6b57

SHA256
4540ff80066d0ea918cc9dbceb6620945e07468cd4c0611b0eb25b1910e9d6ab

SHA512
20c665594e455baf5fb6e9ad0d4669f7e90923d5a040241693ff5afb1119619367435957a19661c399850ccd5182ca9737eb815b36413dcc1ea27e7bdb79e514

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1281467aab159a15039b803ff1ea9c4a

SHA1
2560bff23ccc21211e8faf54c5598c13097aa9b4

SHA256
1f4bb498370865730e2ce170f9e09f53043f3f805d40e1dbd81b7a2bdb5cb014

SHA512
79e78cb1345a531c26ced5d67b1aace3e9f88d3b20bb2bdde83189696a733661d0df45f9b10a47c1fd0c639a356aefa3c17625a4782a2e4d68ec392ab076f00f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7fc41e2380f4351bb2af3d8118c389c7

SHA1
5227cf3504aa6887d0e23f0de36cd1ec4e240dd8

SHA256
0474ba1d803d0789205eecfbc0b9ed4b955e20f5808bf223a6a901d7e9ea7611

SHA512
b5be5d6c55296816a2f10e750b9c157c3b6f9528973bedbae44beb182abb868b9175bfe91cd095d55e7f9513c6bd0dad554e08610c623cc95c4d45230858387e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8eb8357f8653d899e315f4aef3b5d06d

SHA1
51d5b42ef9c3f8db612c54274bff8c864f173de1

SHA256
c01cffd100d82db921cbfd7a23f20c5f18ebd6df616983f51b87d4ada2a195f3

SHA512
d53bff4bd8b6e802b2e265576f041ee88ea18e1c327b62d27e44ecdcc6dd51f015dcfc60a0d507846e0bf41a10333dc6c642a7b5cd50c5a78bc75b862757467c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
39f61324844d707be8e25d709e3d8fa9

SHA1
f43b975f7d8f97fd31405246b253a02d15be8137

SHA256
71426c5f71b875b2cadfc72a318c9f7dffb61efa7e4d5928d49d8c61fb904b06

SHA512
bebfdf4ca25cdda1e99964c42a7a6a9ed810b15dfd778565a7f261e219c5fd1e41b91a25090df7d57900cfd3960f56287505b8538c8990906ce95ded04c05533

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
59ac7e831b2175e53d272161e4af185e

SHA1
9929bd48121cb1d88887c7873876a2645b1386d1

SHA256
d4a009f585046a678a32f1a564ee451cea9d8d5095f49e09e276babed4c2963e

SHA512
4a81bdb99cc43ab86904ed01ef75c2ab938c79ae27bda2c66290f2ef73eb85df52cc140646488e1b89ea46670617246ca925b5b8c12b03c9e83dafa2c875738d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e61da61709c1ff1ab5cbdb27908461af

SHA1
6c88454806be35cd5b97499004ebd45fe9a1c8be

SHA256
489460a33f28f1d03cf720d5db52d24d8185b7674f328be4a937a2a1257780da

SHA512
e91aa2968055063c37a720036dc1c02507344057317305b36d0493aa9ec770c8bb032ad12e612270722e87f77bf71e4c94e876417181cd7f5e5c0d38927a9d59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
89cf30e14d2c96130f6984fec8be61cd

SHA1
f15c50b540363263e1eef4a064425243a3b83da8

SHA256
b09913867222504225adf57c87931b2504c61b1ca890e97b00e56caa3956d4ce

SHA512
606f4ca88685b415c091c188c487f5eb20bdaf90918297b61bfff340d5f41c242d4583cc124b2a4db4a7fe4d3b97b4562aaf0414121b2cb86f8ee5274c6333cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a292f7dbead0a0a55a22c28abb397436

SHA1
753ac16f14e413ce3c7404ce342006dfc5b88ae7

SHA256
2dbece6f6bd23fc41d07e266fba1c2058dfbfee7317668fd37fe18b469153cd0

SHA512
2bc6f15b6d1b7501217330b83aad7e6037e7c429fb38c1872db69257105d2d1ac5ec93421146fcb0c9a38440b4e812446be1c164a6c6a65f94bd6a42e767cfb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
162ee127c2a095ae8489004eb3acbd47

SHA1
a146f044f4eb0a3e08c714dc343491e4034744ed

SHA256
649cee71a17e9520e68ab5e102bf7eccf65819d54650953667b6741c5058dd59

SHA512
e5c37213d3cb298e9d8e6ea9a63906be06db64553784d453a9be9535056cac8e557f48d5986dc82e1deaadbb3d7381712a119eb955a4ab08d6450d8054af5fbd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a8e01fa7674a2c718cc1822cb0b5234c

SHA1
7484c6837599d80fc993a3f3ae0a5f9ba136df9f

SHA256
f3a573da104d3bbbd11fb0e4365e2eff83b606ad6e3ac9c4e13b65ed6a4c0de9

SHA512
2753f3af3dd1b9e712e08a2cad43c33e75fc6d62e16b6f78d4c6d57e3079a65fee7354203982db48004912610b64cad496047a07c65504b5f143809dd0f68d88

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d5a40349a9aa3c4f2fcf97f3d92e3f40

SHA1
f5c05d9d03f1cbf4933813e0fe79141f8fa17547

SHA256
3a1877077d6b8c0b3e12f086c6de735d43909c7ce9b76ed115581223248f2a4e

SHA512
e7084297eea2d86b18e6fff957a8583f6b629421ac2dbd7113f4d7bc8d2e7ba6ba5773ff63b9aa3c42b889228bd608b61d1b138706316b0914a23e646e671f80

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e46981d5f32fd524b1f367f6e02fc3e0

SHA1
db7e34b20c89c5d901e2c47139822dc46d697803

SHA256
1e0a65d2c402c08a8497e924eacf8ad13a1e01aefed9971ff61765cef32618a2

SHA512
4c73e3a17fa1515e27b0cdd7f94dcb81fa43941b359e3052606e1c4116f5a8f8bdcee4659842bc289845ad81df533c025c7d8398b4e45cf54bbfa2ce0e30bf48

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
60375e6cb051ffb0f4e0a82733b9d13b

SHA1
d9ccd9aa9c41901fd4f4f818eeb6ee14072a575d

SHA256
96da242f357be914679b0ab65e02b052e59e00e9489f17ffc0ec0a442a667bcc

SHA512
7113421fb09acc88014230afb8fc5793ab9aa956a4b302f6874bab85aab7573c5c07b4232380c504ff085efb13558a74c2cffe567c5af41fe496c79f492ecaaa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9dd722e29e2040a2b2fa4970fb843a65

SHA1
7c0aabfd18a0b2cca6f9125d293627aa5567097f

SHA256
ca23bf34cf2ab9a492c13af19a8e1690a86f2e88f91a61aa9a73a2dd8a133232

SHA512
259b07d4a73b9101fa0037040b00d99365221407af0c3b43d12a2b992d96a78647e337ade077bf3c76a06f1be5da709830d0d83e1f298a22298657d7c9cccc03

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
146ded578c9063b46b9e809839f5808a

SHA1
439b12038b89857fac653807bfeb22775cd85a48

SHA256
976bccb269206caad87baa18ebb5a210f314bcf4b74b535c43d7fad4e155397d

SHA512
06f7dd08b313bb52bb59ae1e6cc18bfbef49e7c7c351a8b680af97c7f1d3562e38b7ba78608248318f1a20d022672041768a159b1ceeb3ede1f5f5d611646e2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4ef42f4bd0eb258209c6504cda37dccc

SHA1
91a77480cbe92dd67d6e2d398c0dd7e4e579b0ca

SHA256
ba61268811f55162251b63d882457d5bbd4502f9c892cfdbe55443f81b3db19e

SHA512
033a2a3c84522580e7b7df43d012b9f6d7aa2f557ac7c73d8b6d934c392e5af664edfc802e8fafd12dde0a478565e7dbbac1f7256439f078c37f8d0cd46ba8c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
296544cb0a873968a88c92a928a5f962

SHA1
c8f28b1feefeabc1a5e9b18d982a2b3b7498be3e

SHA256
3bd95c661875d3cc8c9b11fd971942cca477c40f9296381b64ab280468fc698d

SHA512
d9818dc0eba9bd473b49cd3fb623284212654ff6f7b91861a43047ad6ddb88d782d03924071539f084094eed3ef2fd8b9154c04da74047e366e376e265129399

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
85852e7bcc63772075edf4cb0c81803f

SHA1
5d8bd95a2e6c3697ab64a5ad2f8206b2b39c208e

SHA256
29f0dc611a00654041023c2601f84d280b3f5bc53baccf7fc513daaef8545664

SHA512
c06d4851bec9fdbaaf760deb6c49df7f8e8008016a6db234f8a0c350ad105142373fa2acdbea3515a70dd41cbbc2426bb03f22053dd5b3caccb981d2564d3c0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9ed0e688dfed562999681cb6f70eed90

SHA1
91aa8f230d537ed8461697e3a8f79d053fe45023

SHA256
494a50c5e6fecf1c98bd69efd5c703aa96178c365f5698119d01f359d4a3fc02

SHA512
1a43b77cd8870de62ac94326189051464760d40ea32fa029e0d2f07d915631768702c3323b816b0234855a50e8e7df71a40a32d9e0de3b676c56a749957deaa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4c222a7fefa8507d7e8035ec99819648

SHA1
51c3cf7682bf3f0038c8ac4e2a6290b3067c5c23

SHA256
86a5bcfd198d38960edc6781ba5d8c3bc1942a5c929d1fefbe8f1fed6ac1007b

SHA512
8bf9ecff28d088b5ab52fdb2d513067ebd7008a0729b89cfd9796ed74251d8ef321e5693f963522b8cb5e59c7b43898d8108492c89c9ae407f0fc5cf0254959c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7923445f7207fd0f246da339df5c10fb

SHA1
5059b80073b33863a463a5e347a3c3dffda0841a

SHA256
ec87fe153c6d0ed4c5fae01a50780272837f09adf0cc5cd766cfc8d0fc2f5797

SHA512
14fccc9eca4f204e6628e446bafc06ae4df8abbf8cf4f6b97af35408ac6b14d55c4cdbce47eb1af9ffdd001370cf5ffe10f384e7c4aac0848aac5ef48c788857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
165a409577339ec9c373a703d961e695

SHA1
95f39d46e19b9256b3ea84368febfe162f9ca4fe

SHA256
d93022247dd27242ac202c11a1f04f4571b38c817864b62b1eded1ea5c3a17e8

SHA512
8715bb157f77f83e421b4176839e15ef1436691f61ba62cdc7434ce39cd6246b36b4006c31ae4ad214f1f2cbeb0fe345e5dfa363e51d3a1b3d8c75e9dee7e28b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
84e18d394b16439e1e3c5244e630e2b4

SHA1
b4995dcc7afaaecb7312d2bdc55f39ddeb401990

SHA256
2ba5b0ad15eb4e9bda6a19b15b8ce8aab40043002c40e6cabe3d9f6a7dac2cfb

SHA512
49a1cf98faf1ad612e6cf0ec0fcc3a25d3f7f30e168df85f3c48a7460eba2d054b3eed66e990a711cffaf55d5a8ba6494bd7c600e692e12e02cb0bf9cea33332

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e9ce432b936a8bcf9d96043dd852e11a

SHA1
845af281d09844e2631348381c9160ceedf6ce0c

SHA256
38063e43e9638872f72223f5d5619ff23dbc3dedfd5496edb24b286244cc15b9

SHA512
6e16a0e3f76f86f2ed20ff53306f7692717a99ca55ebf5682c177b49d8dc888749fdf12f817b1ee5f95d931a1b45e64904096ee4f19ee26b70403fa83bf5b478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1a1ca7d22558523ac41a25322e247fb6

SHA1
9eda99e885d8121fae93e4578dc4f8fa8d3dd5bb

SHA256
4e5e411af33fea90227e675c1378bb3530aa4699c2fe48db6df00046728a698c

SHA512
54b95b8c08c25dcadcae4b44bd2ff37121fa9763e07d35a63cc20a1b93d2c3574c5ce1f25889c07b45225a452d1c6ef5c08bc0efb7b247a918430275b3b720bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
914cd52edf0eb49e9c44132da741c2bb

SHA1
631d32bb976d754b97ef8517fdf05a542a2c33b7

SHA256
05246bf0a5b8d8c536ae9758271479275c1902fd524807ace36455cabb925e98

SHA512
3f8b607188d076578ad269199e631e89ba595cdc0ef1847896e7b083c752af2e4afc22cf7d7e8b61ef724d273171f7d45f5df28223731720674b18f4e933b1d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d8cf18b26d1266a616fd6284cd274050

SHA1
c9618d1242931b41ceb6c0ec2a284a4bede4e87b

SHA256
b93f5c004eb406a1c427b6348e1960d668676fc1200a329d59b6663ca06a72ef

SHA512
d30170a1c54701f2d05274927340d006d87a04a5e78e68e2e12383ef5f6f05298f2b03a67758699f3eef904865e5092a69d8475f4a70097aa09b397a4e31024d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4daa1359a054ae9e55b1896a67162c4f

SHA1
297c123646242012a6896884ecd0c2a0d818d935

SHA256
4b81a57e90379858d2e9040f3d88b726ae3c927507b9b3f38ddc294ed633b245

SHA512
8524cb07c3768abff1cc20345762da36efda45658b6c4081547d3d48126c3049fc25aac554c5cdcb1a885376d4b47503f2404bf2589e9d0754db466d82f4cda1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
424cc8b71dc615cebb8ad51cea985545

SHA1
ecb4c0291f75277c000185292a34753d83eaf39e

SHA256
1dfc36d3848c092e4f1a44d7f6efe0f62cbb7b478bc3f95e32aac29dbf01767e

SHA512
7fec7babed35e2c7ad039ed38f6d46f66e012500448177a06a59726b03ff3a9bb2ba0cabe7a94bc56464d69168a7bc023ad860b9fb0fe005b671ac3a79cacd41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
60eae78b831d5d5e92279068624284c8

SHA1
5a99764a573bd30e9d8259500aa25c2f41d78a28

SHA256
78aadf4a5252fd836ad867bd2e281e84165827c5f3dc87b18e17a988b6cc5516

SHA512
46b7a2c299d924777de5c51d7f31ad3c4a6e533eaeb00f59dbb733708cb7bfbcda744afbbba8bfcad36ad13f9d70518711e3bd55d9c434b922cab6d49ab1c53a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1ee80bc60205f93c4c01f3eae649b318

SHA1
2ccda9c67fd9c7f691bcb80cbcbec72feaf8d369

SHA256
7e1b8a82e6c344e6b89546af8530880e38ef966f5e46c67fbe3aa46071fc052e

SHA512
4eee861ae72f134a0ae5cabe960d5ba5ed6253ca4effebd315e6689c82b6611874a797e0721648acb2c7cda7052fcff7e14ca7e58283a9ed51a10fea74506977

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f5014334eda9776ef1ef1cad576f694a

SHA1
33497d09a065fecc4a8149c3ce9fddf2c4d81f53

SHA256
f62e08624ac1897e257b408104b95c3ceec1454bff3cd046c453dd5425aaff56

SHA512
a04914c2a69d59d0b5d146d7c5550cb4e1e63a91c660a7536d69a6ac8dac1d1ff446b7cd8d172bb76896d42abff1a33c36140d98a2982e2b7f95cd6100947ac8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6b58bcc40d9256b334637a6277c3efc5

SHA1
f1212723be0e9410bc31dc01bfcb97e604abc811

SHA256
492878bf6d86e3cdd3afbbba26f7f0870fcc67da09004e1a38514c7d7982e184

SHA512
c268c250f2b9ff9d47a81c7d5bf4ffcbe268e1ef6b1862ba9097386e5287b2eecd2254190f46a84553b310b55db1040c98bc1c47f5e0b80785134f3e7889d730

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
52bbacae4e6c761add3bc2f4a1fa0791

SHA1
b421f76981e4f14c005584ab4a447471ad0acfcd

SHA256
ce505a93fd6e76f71a3b3dba80b5acfd9c980f48031094221f1101e0ef425870

SHA512
4dce449477b8d6bbb17395512dd8726a9b4e67668c65056da474d28c4510bc58077f63dacc0363a8c0327956279b0644fa2c8fc02d880ce38346fb673e6a01ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c5856823688d123913c897be4bfe86ad

SHA1
2cc1684a4b2fc20d20e5edf75ee2f5c497665a1e

SHA256
ae27f78946e587bc8b7119306664ffe116af735b02521cee783268cbdcc37069

SHA512
861500407875974c5045a6ba72d77a788238988bd53eb06e795e1490fe926450463aa0c96dbc3060392969881fda41ddd60c3183283fffc6e49257e8586ce453

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
93016c273ffad3bdf6ef4d83f810b5ea

SHA1
f9a402e7dbcee1e36068474b3537350c4e1acf0a

SHA256
6f0713cf07476f2211934087cef8b48f6fb34846667bdd39fe632b49344e6bfc

SHA512
de01ab75a3429cc1f3f61f380f698ad7ca7eeb662c0f4cad94d3262b6c3d69a4642949b35508380117fb4854534bfcbba022f8910e6967cd83f48eadcafaac2a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
00f23a7985253f81c541f2a014f03ab1

SHA1
3167ab888fc980374a7aa05f6e36c7d88d569c42

SHA256
67816d539b5a1fa161ddf88f3a83fc0323f6f451e072dda21e00bbef2743b9bd

SHA512
0f4869e736d573f3958a1151e265fa785981fbb2f9bc915583b33495fc7d0a047fbef463ac6095e8c6ef02ca16a8538cf6bf3c1df9fce30f206b537d0b08117c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
eb1aea2663b1bc1b0ac9469de136b2a2

SHA1
df61fc9a6bbf5e27b72d7bf02a1b2d252e1a4d37

SHA256
8fa3d7293f787d240566535ad3c888920db3679334758c757b88288d7a62adcb

SHA512
cc2561620921ee886a2544d0a0434671810298495c05f89f0076991e9ec4a82c46e18a7557aed00dcd9c35eba0b583a110dba4d5987c51c41714ca3e1bb2ee27

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3bc49ff9c95bf6e76c242b027179e695

SHA1
ce2de99568e22e7fa00279d3221dc649bb7b6a0f

SHA256
ccf34ad58036bde6a156716f64b4bf08cf073ac15e888cdd0ff8a59683a114fd

SHA512
7f1de6f4d0ee2d9fc948f294b94ca5ffff7af50fd0fef60e386b757c2d2e22aaf2ad26d973cc1e6c2d040773e55200006f31c7959041d3f67ace62c7c1ba490b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
66f6f46b8bef8416afc3f705c036df2d

SHA1
d5c48ad45b680c031075a93506d94776cab5c0bf

SHA256
9d1c72c8c84acf99f299f2c5ae553820ff66f1a9c2cf3522eae016a4cbce9de4

SHA512
abf321f2291956d85c35feaaf8b108b0a47d94f9ccb50defa0e980ca75a9aa0da934fbbea8f9dd3702225ecfd7b79f3ff84aeecbb168ec0f745ac331974019e7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
67319db9237258fcb20a4cd93d535f2a

SHA1
c0300de634d10c70dd3dccaec8ed33ac90702749

SHA256
1a5c9a5b41c3bdab857c4ddfb29fd3b06cd33d3cd63a4fd6a1b04286c2e75168

SHA512
9012453d8e07f3ce8498b20ad4977fd27366efff68c0e0a571e57e2c3b354fb2ad3b217ac8427a95182d2a964b5d4ac381cf6ecc7adc7f38f3366222ecd7111d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cd7aee46f880009f82c516ddc21e5085

SHA1
0b9c86fecc92236fd5a0f5c4c6a48b0e53281eaa

SHA256
8cda2cb04448385987581f4f78444407ebb03a716908d311d2711d5cf6cabcfb

SHA512
c1d267b1de0c4a9d563edaeafb79536afa30e3fc153edb7b9b8aa02ea3a03b0d44824b2f20b8990fd0406ba92eb52381812ce92cad1b15f13120e4eceebcb727

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
339841bece7ac5b285bb95ab2c6f31e2

SHA1
1155bd6cb3dcd9c2c7f5d9bb3ccb578395172884

SHA256
b6bacb9200232702596b3f31a08efba04ae3c4f2584310672a9039fcef950754

SHA512
8eef121f556adfac82dcfcc3f8ecf3efac93fc43bbee9b4de607390c997a6f51758c487a358cb5795c344ab6818bd31d041ee9205f61740aea23c1c4978765ae

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f63de3ecb2320223b6344c56a9b15da1

SHA1
3d351d93c14c95785fe7908c65a924565cb92a69

SHA256
ffcbf3d4cf503e9ba9b664dbafa2fd1274c0ca6b72ff0d9f0acbc772c66216e6

SHA512
a28cfe7088c094f94cfe99538edff9ef81e309555b4632f55bf8787290b9deaea0532447f93db5c7eeea52a452714ac1a2e4b1dc8918559c7006111d24202309

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
25782972f80026f41ec79a7e728a6de8

SHA1
6fa88232b65432770e8add913c14a41d02ac4a86

SHA256
7e230a1c3921fefa73d150da3678493b040b991bae5401475cb49303ba45b4f9

SHA512
0d1434acb5f8a7aabca87a33244648a9852c215d773205ed4d09154df2fdf0abc444c079eb47dca8f9557b38d3c14c45b7252b923bcf41e928ff09bb7768dbe1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c478f8a75d3e37af8b5cfe65a66f051a

SHA1
6b6c103c5c59bd9e7f6dcbca3cdf9cea8e863825

SHA256
dd88f6f4c004cc7484f378897c27f9c52628fac44f618eec17fbdc1a55aecef9

SHA512
4bda5f707fb536cd9b6abf638c2cf236c5753ea2728f7da432cadacd9ed97fe6a40ebd09c7cf26f585c0cbfcad8aa9337ab96ec682df25b29431219b49af2fb1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e6ef5a571ade42401f9c523adca717e7

SHA1
1603f34d3cba09859876d6ebf74e0250552734ad

SHA256
2f2624689bba559d3a1e6dddcc8aabf2896e5ac4a263087521a4db43cd95fdd7

SHA512
72112a52d3b217e522d7fbbe13e6a91f023bbac1790cc008f424e3330368930b8d60ee0cb43b323dabf0a348f8556ec22ef5410561c184ed66da02fec695db07

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
697c80aebf767a1b208ceabc565c8a10

SHA1
c62fe2f09831c3e7176eaf8ad4d4e161b8fab786

SHA256
27cd4ebfa4055393488bb34eadd16512ec9c5f02b68ee1c59de6a6654948adda

SHA512
fbb0e043484b7160dce85531e491760168b50d0944af7025a132d82b80b2357de23bb05f9cfe80b5811d21e6bb92b7fcf5a0b473c43c3bf789ad6dc2646a99ce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e0ae3de68a48319b8536e2f1a67e598e

SHA1
1ace54552f104c066875810a1e1aa3207ec5c7aa

SHA256
f117524e77bb7f470bb8cd1c71b826c3c40f5678df2b617a22e603a81b52b3d9

SHA512
44e325f9eb85d92838ef88783e9bf32884394a043994a86371a3e620a8e934b8f20e3f9aa78b7f13e7c38d4bb0fd5c717ec7428320f9ad77e834525250208d48

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b03b079f0ac97a64d48bf8a4fa476bee

SHA1
3d3a19c3d83bf75f00f3dd6e92e2e67889abea73

SHA256
f00d090d66226ecc0e893e9967811c254c43c14f71d7a2217036aa1ae0b56509

SHA512
7f80e5135b6a40425443fbeea64b5ccbbf068c3e21841e4ba096dd8561927cf0382f78ed7f4e19259d72382fd4dc883afd2a11b13c4f64f98cff74bf7ce3a85d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0db8d75223ca648c28e5c5a202e6911a

SHA1
73916b65ade4fb97cd106ea00e88472d33ffa2b5

SHA256
4a5da2c23f9b237011462d6b40452cb79260a32ce8616f0f008375fe397711d4

SHA512
8bd175fc387bf4e3ff33083f8a4ed690905fb4e8141f37e5679123b8e3662f399f3847188549ce514bde43d40e346c0dfe1b54b5dc0f1345a2060148da03596a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9857e25f77490c3cb463e695166c8b30

SHA1
d37466fe32b9a06ff3f0e9669b36306cafec34dd

SHA256
9d779bf875c01baa5795a7938ecf8cab9e2c9c4c33560f644d9f4ca63ef27711

SHA512
8273d8a7ebb041f932d8311f29eae587d2d1909a6337ea5111528e405bae236e82e5b50eed9aa64fda45c5ca12c59ca795f0ead2a9c9e50ac5f97b2f67e1f2ae

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ba31591487dc46af13bd212aae9ced8d

SHA1
4f35fbc76d0581c21eac4eaf61b24281c3d34354

SHA256
c9656ce4cd469a840a8aca8313c8262f28c5f1a23c0c5f976c4dfdcefaff3872

SHA512
cb75f33d394075c7354ffdb37d38c96243edff438a33173390f576415538099fef9d770c22b02dbdb10355cfdfe11329eddf0b7ba12da01a17ebf6631b844217

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b77599b35bf61e5663b7738c778d96f4

SHA1
509f8cab50d6cdd88420067a07988eb9ebab1044

SHA256
5d91fd40f1fe805d50672fbabde95760042e15ced531f0c79e83f2244b006317

SHA512
bf442a667e3b845795b0ec8f97240d3cc9bc8dff7e6efa3c3121d4d145584dbb23d8845e502ceff7b29a6e5981d3ae932c59fed2acfbb0a9e83f780d9302a039

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
94aa65e59eb09f94c70987ef2b71d6f6

SHA1
ccd1ea258533f52b74cad05fb2e8cee60ea7430f

SHA256
56e67fb08da6f9f1ea462e29cb1dce016e998807c1d0119db80275dd072ead70

SHA512
d5f6dfd12203c27b105083a982ed6ec88dce8f3c763230a1ca707ab61a4b3dfc54b5e5bbdde45f64f1754a0969d5136bb89b264ed742e511e8f0c5b2982971e1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4503ea925d939e2f07c9c42604fc89db

SHA1
7b995e520094aa53531fb13de4e6fa366d20ccf5

SHA256
25ceece0bf63b5fc7aa444039cf7fb7261c6c3c1edcb067ac1ef0cb86bc65aec

SHA512
abe74d230bb2a515e4e67be316b353eb8f0c236aa446a18abfb46a8e0faf6f97f2484fab7755d9d8f0bc2214fbb8287794136a1b2d4cd721b7645114b9c46892

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f4c4bf583bfd16c681d2828a09fe17c0

SHA1
a15b554831fb75894a5e88fc490e43cf016cf01d

SHA256
149168609268946c7a547e2645bc40addd069a531688e83c54273db9b6761e5f

SHA512
9ae107f1d80e45b69ccb83b8325959ff9b4bd618a27ea1be826554f26df93725d291b380b5256cbf3e593bcd2afa7d5e75d63e5a71b46f5f8304802d3bb4ffc4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
07070b2cf52ea95ea636bac1969651f7

SHA1
11422bb61ba6faf95345890e3baf1f9664e75e13

SHA256
b3ad42ad3a809153f759c115c173f0d6c85ae9c50dbefbbf5382ec54101c3b6c

SHA512
f6836f434650dc5b8b45b93236603d484e7375acabf9ea9ccd47704dddbf97eb2a803d8b3f3d67e9b2083e3db5b6815998179c13e8d657939ee33ba287ab54df

Download Submit
memory/228-167-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/228-463-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/624-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/872-78-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/872-72-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/872-165-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/872-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1488-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1488-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1528-459-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1528-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1560-465-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1560-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1568-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1624-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1624-105-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1624-456-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1624-100-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/1916-462-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1916-142-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1976-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1976-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2256-171-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2256-464-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2268-93-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2268-419-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2268-87-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2268-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2616-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2644-98-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2644-0-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2644-7-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2644-286-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2644-1-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2644-285-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2712-22-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2712-17-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2712-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3064-141-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3064-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3064-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3064-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3336-166-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3664-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3664-457-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3884-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3884-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3964-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3964-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-145-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4308-61-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4308-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4308-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4308-65-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4308-55-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4552-458-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4552-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4936-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download