38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 20:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
Size

1.5MB
MD5

6236bde9eaf7da239696e0508aee4a1a
SHA1

ec8354cc629bc07e21b406190701d46c98a046de
SHA256

38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379
SHA512

aefe47b8d6d4f89087498e96058fe2575fc9ff806f0ae9a0456b2649cb376b04de09ee7a041676b7b048d1cc9a531ddf32264a12dbd5494e9842f53aa48016a6
SSDEEP

24576:iz2DWF8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:QgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2960	alg.exe
4452	DiagnosticsHub.StandardCollector.Service.exe
3016	fxssvc.exe
1480	elevation_service.exe
1408	elevation_service.exe
4140	maintenanceservice.exe
4404	msdtc.exe
2288	OSE.EXE
1040	PerceptionSimulationService.exe
2208	perfhost.exe
3564	locator.exe
3992	SensorDataService.exe
2440	snmptrap.exe
2392	spectrum.exe
3148	ssh-agent.exe
5060	TieringEngineService.exe
1360	AgentService.exe
4860	vds.exe
4040	vssvc.exe
2864	wbengine.exe
208	WmiApSrv.exe
1184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\System32\vds.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\wbengine.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\locator.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\vssvc.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eed8dc75293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\spectrum.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d36b5cfed1c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b778ebfed1c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a47267ffd1c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071c9bbfed1c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092f0c2fed1c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062a2d3fed1c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024e9b7fdd1c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4452	DiagnosticsHub.StandardCollector.Service.exe
4452	DiagnosticsHub.StandardCollector.Service.exe
4452	DiagnosticsHub.StandardCollector.Service.exe
4452	DiagnosticsHub.StandardCollector.Service.exe
4452	DiagnosticsHub.StandardCollector.Service.exe
4452	DiagnosticsHub.StandardCollector.Service.exe
4452	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1856	38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
Token: SeAuditPrivilege	3016	fxssvc.exe
Token: SeRestorePrivilege	5060	TieringEngineService.exe
Token: SeManageVolumePrivilege	5060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1360	AgentService.exe
Token: SeBackupPrivilege	4040	vssvc.exe
Token: SeRestorePrivilege	4040	vssvc.exe
Token: SeAuditPrivilege	4040	vssvc.exe
Token: SeBackupPrivilege	2864	wbengine.exe
Token: SeRestorePrivilege	2864	wbengine.exe
Token: SeSecurityPrivilege	2864	wbengine.exe
Token: 33	1184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeDebugPrivilege	2960	alg.exe
Token: SeDebugPrivilege	2960	alg.exe
Token: SeDebugPrivilege	2960	alg.exe
Token: SeDebugPrivilege	4452	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4516	1184	SearchIndexer.exe	107
PID 1184 wrote to memory of 4516	1184	SearchIndexer.exe	107
PID 1184 wrote to memory of 3180	1184	SearchIndexer.exe	108
PID 1184 wrote to memory of 3180	1184	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe
"C:\Users\Admin\AppData\Local\Temp\38e824613d7f5e1064c531eefb889e3956dca4ae32b27da4e3b47efc7e464379.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3992

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c4157dfbcc534eefd5a6800fe15095ce

SHA1
3fd8b9c09686fe428bfd6a90359d4e27028b715b

SHA256
0451e026b23c31f1e01a15460d8d9675c1cc989e5792df49930d343be031ad9d

SHA512
79ce4b38cbe6a1840e5f923ca3306c4d7efbbbf811d1fb9a4689dbef4c937d47bd001b059016b02226c2583857fd3b4770fd679faa067aa6721f5b7706dfbbae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
a48458bf55f34848bebf503bb658c881

SHA1
946dd124a2f2db45e161c8a0891103edc2a6708d

SHA256
c6ae328ed219524f772bc87f982ecae06b57bed5bff9fdcaef70ad4e097c7d54

SHA512
c095a21740a6d46798b76514c61167ce34bb3d89bdf54e4d5cbb3323f113b170568a27ea6b7568c460a7ae6ca2cce8c60a37fefbea564437f3d2a9e59fa48f4e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e0e5dc701f87a64c0902bdbaa681fd39

SHA1
f7534c6b30a0899cf85ba459f555f0d1bc1b7fde

SHA256
5a4ad7c763ce1cab9772f07046684ca0792090c667c31ea645cad5d2cd3fb995

SHA512
b2df0014bf7c94f1b51d44f16fe160771a648a9389948b0edd943d6e8eb683ebfc6cc1aa826f1e953d0c47bac1f539bb375d463b8be1d267b0bf44a857577cce

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fc8e8a0e691b28c77eb813a71b61a2e4

SHA1
e27279e68970f59f5fb349103ae216f5953a69eb

SHA256
e9123b092eba07ec0551afe19bc35c3e1fc10f6a88f7aa88e93ff501c7043d60

SHA512
c4856d96ee9e6095742721cafd6f76a572658a351e1f623a56dbb0a431d27b2a0a5a6dc69a1d68bb9c26a5d11364a00b2e4ed25336eb9f2821b7722f015b91fb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
086cd44008a264d4c4e2d19528f533da

SHA1
5096f086136b5d6cdb263ef451186437f41a9174

SHA256
1275f785ddb0c5f39b38d9c9de3453d6a1cf89934f9a5f8db08b13ae6e72d377

SHA512
025aaeae6369119a4aaf7feee1b4a9896e90f2b3f44046b6b551f3c02312d776eaa1e95a4c7e8553ab4b799a11231f9e137e28afad14e7f6a0c0bc0451fe1ec1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
668ca92dcc7779d454d87d3a402dcfa5

SHA1
b46e28a6ed974b61fe5e673b5f8d0ff915f3f147

SHA256
eba12c48d3d21ba4067007d47648a29fe3c28edda85468c714b1a18e8f5e6d2a

SHA512
06b134f874865bd702eaeecfabab4735576623207554d10919a9390ed6cbc199db1d656815cf1922454086931b89b1add7544993b053a8544860f376a78dfff5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4793775ab6e9e2a2efcf37949d3f21f6

SHA1
29ab592d4a70f43c95b14ae2bdb84138714dac35

SHA256
db758bc4e9c783966e67c468bee6effd54751d86ba10dffb1c9029e6d61248fe

SHA512
c8258a83c182b6388b53f8d3fd74b4a085156638b3bcda4637431ba4e50dfa217f809d9410b0b9da152c7ac1c19abdec5e33a1f5afcfc0b2c33270ba24ebc122

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f09c91a6bd049cf8b5f8a297da3325ec

SHA1
e9aff5bc7c8290f43fbe9be2b19a298b6d0c63c6

SHA256
9b20fdcc9fe61462818c71c011e21c4674ba93019420ceb1386876df8a08f427

SHA512
4e3a1bfbff2353dc6c8f65a2a10967ef671800c9bb8eb11eb3c3eea9edf74b2223d0d841daed6f14404248133d55b6a7f6f97dbf10ec88713d3bb7c64ebb0c3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b5499c57a020db53cae323db54e3bfee

SHA1
6ca0a648438b8f652104960f835152d30c6e823a

SHA256
c3dbd1570d80b82920ff88ba8077ac9106864aba99ba8b6b8df934e48aa31def

SHA512
036c4d4963cd86d2386e68983335484aa8f89d2e386dff10e88bdb8fe0fa796125a47372b49fd92127558dbb6eeabbdb6de0f3c697f568aa12c13eb054d9c70c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e019cbe383d2129aa0db1c1556f3a9f3

SHA1
ebcb53effe7bf347044b9a68c266feeaf89cc82c

SHA256
5af97060f69e0df5b7c76c0abca2e1990a1488b75d9566ca7de08c8693d97e08

SHA512
aa177ece03135719339a926ba76948af92c069185b6546f30da69b97fe85d71873f43e9cc373afdb17ccacfe6a772b864734ecf9a67872f26e23c91c3efb9791

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c1a283a23732ac1ae6af3d308f7bbf7c

SHA1
6d79c3cddcea4c5768b51499704efdf466eac006

SHA256
835986d5022f8a79aca323c3fca4650ff563bda19340e43d4b3e1ce59942fcc7

SHA512
8c9603c6f7de63e61881c39571d00052234732c658c0405a1b9cdb7b9b7744594ed08995d16872ed39366d96e3460a5891b01cb20d558f2deccc4e72c3e1cb7c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
90245d92f394524677215407536c4539

SHA1
db2110881b7aa67f45107de62e4a6a089dbbcf1a

SHA256
910f0f650585f6f46d285d80d147e85e3add49cf76e404347e8b53a08b190cdd

SHA512
3df039d973fe32780c6ce1046afa1dd9f0f6c64374f7bbbfed9d032e4be8e0eb32c30392ef12b4944c7aeee1452a8a09ffe7feb9bc9e9bdcb65141228aa4c84d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
fb72b5c7e9e8ba2113b1de20f3cc0ab7

SHA1
be1be8cabd4e2f82ab20e9267913586ac1d84670

SHA256
57389c57def48a3a54d592bf6afed925b54ddcf1c580d71827a15caba3b4a51c

SHA512
110d5284d096060fa1e1f7d3d03cb2b3d38a0ce9056a8c19c850020dda3fa4aec7241afdd48395036ecc9f564bcf2064d615bbdba03cf85cfecf5b62f158d85c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
a552d0fae3b3bd6326e637809993c7ab

SHA1
3c7243bd3b2ac9fe9a6b5e7fc47760bef2a16ca3

SHA256
a3ef11fb9334d0a1015692192a551483747688b3b92571c715c8972f9e49e08d

SHA512
3505ef7513849fce7e7ee7e1650b4a7ae1f0a0dac5f3c0433ca094328c190bd99b5c749ba12a6b7c58e1f13e1c87f58194e5e345969bfe2db97fdb433227b1a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b73a1e2792bd5c31f6803985e190f7ad

SHA1
f6dc291ec22034c7e11cf902677f7ac60bc1a8ca

SHA256
ccbc59b7ec180f353627e17f95176f964ceb19199eb0bfe1e95eaa61aca935a6

SHA512
fe38ec2c7ee01133e72f84745a4ab9f0d92945699add7425e8843cbbf4847b670ff2bb59a9dc6f7f5c66cdb34d3abdb598368bc1b49e4af6afdc7105e903620a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e0501ea8a27d79a3d82a58fe0d3b2f47

SHA1
8ebb251b6cf11d80de210de7d4562d8124cdf1b4

SHA256
b042778ac09317e7441cfb1497cf91716a0f681884f337ef9d7e4140026229b0

SHA512
fbcd8935d44446907d3c6d578c9f8a95d3da892caf6cb9ea3e43bd830a9db702f58f4fbe387d9c2422dcbda1b7adc1750429adbb7dc64dc5b612fb369449c6d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1c582c8e3a67db48d3504341d0b1e63b

SHA1
e72f6d386ad1e0f3ab008fcd3cc7dc6ba01fad4f

SHA256
0df54921def063b87cbf4828dd0bb30377484a3be38d4781962d9073537d27be

SHA512
de5f2ac26a3aabb473638b4ac86e2ab3e11571aac254a69198f3cb7bd1c3facf9cdcf304198ed4b0ee90b1d3733fb0510329709a1d0410c285754d3728225289

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8b10a497fa925a78f135076de632128d

SHA1
cde2edcc3c4ca66610a322610496618b2669fd79

SHA256
b4aa7622485dcd20932820491b7dd8e625f9dabee0fd2928e929d639874192e8

SHA512
ac44c7fe63146148bf8f9255f75bc275c0dc9a4cf42c0d7a5683aa6f00da274f3ea8b8a26466dd488cdc05496c9f3e80646c953abef8ee661135f3709080e192

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0d87b057f9a853f5d2bbe7a0328127d7

SHA1
0e2d1953b7626861b55e51c199457ab3c93a0fe6

SHA256
7a26c953c6fe9221d2dd15b1d38fa17c0049bb13861e4400af190bbdfd710c06

SHA512
2549105aab408ca6463dd186623e04fcac098ffc5776daca8a979462e36b0c3aefb48c6cd6875d8e995b8cc3157f17cc5d7ed1f97e159e3019565d925a0624fe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c848cb9f3eca9e615092a4d0b4911d52

SHA1
334594aeb636c2af57f91283d169074c5f5e2164

SHA256
683e95b3a03fc6b72cb0d2a51a512ebbfbed320bc81f631e28ee43e144bc9611

SHA512
b2c3ec29d28ff4496b5d0fb47dc17b0f58e709b4df57720d354495e4d9796dff739227552b468bc6969595d211b71e9d16430e076a55353720212b88f58ea125

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
6606c60a9f11184b84233b4a2f72d2f9

SHA1
635a708192de9810d08e971260ac0818935f20da

SHA256
ea1fa47922dce8174aff4926cce74edc8d3dbac809a8cc5acc0f25f021a85b85

SHA512
fa14ce95e58bcdc58e4cca608514ad2ec365198f686a9a11680c1e8290b7f5c73d41e0a9990d82136c967c751e93a0aa1585001931cecccf7cc742ef2264bf74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
6d05908b69910b753480f3bd598baf47

SHA1
c26e06d53c5c5e022cf8f927765644e0fe2d4f8f

SHA256
af2e36b52ee8e711ffe75b1ff00936315f34df9190e42b9f5dd43931f422ca8c

SHA512
0f18aafeed2b37e91a02dfc66dfd4feca3d90b6de2706b662ed13e0b1be7946d0cda27d52bc976081611e636df6a288bacdcef533f4ec052ad95ade0f7910251

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d33a3857b1e921eeba080678b3d6dca8

SHA1
19fccf9cb04ef768f2a52a5e82876e23c391c9b8

SHA256
c3508ce0d8cb7f204d2f4e1116f89dc37258c4b2d322e57dbf5ab857956bffde

SHA512
a10ceae1ec2c7b6e9751f4c727177a95ef38170e1d568b6b62b6e087ff98548f8ed4970743f56afdfe562846f1e206dfeb73f893f7cf0cfb91ce5271daf9d1c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
e419735f00e01219d780e3aa0fc8ed69

SHA1
dbe00f9b80eaff59b16075e9e26835721a9e02b1

SHA256
a9beea5a06c193771dcea5c18aaee8335189ce25d3e1716f838c9972366e8be4

SHA512
c29cc1a602a69e9877182b21bcefbedc3fc861e3158044a4e608c6e27087f98c3ff50bbb7872f07afcad5abc4290545239443ffa89f13bfff7b0440a525519e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
0cf1aa3f7579ec44673c115f8d9b4147

SHA1
47ea211ceaad01d7a727f7bc2c2121ffdc1c34df

SHA256
db0429029a955bea36eb6ad0a6cc07e1ea4727bd46a6bbd124ff17340e5c9e45

SHA512
5e6a7d1fe26b76e2951eaf9942c57e3e7d213e56920b362662d1608c8ebc1909aa2af4f8293987925d265dd5b197ca2ac246974fac4d285e6e91d159538d5b4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
6fee542bbd24d6d1cdbd837b41dc278c

SHA1
501bbf260760d59f1c338ad5cd8ad45429625e71

SHA256
4a6f5ef4449e1f9fc1802a7832b198facec064e600f75999c0bdabf9df2f79b9

SHA512
6009e42045f223921965d9680881fb73bcd94a1839d28895eeba7ecbc13e14ebdcb95a71dadd76678201e1090752bdce425afa531c309877fe45a6ba3935a56e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
4923c3179e82224836e415e50cc8db7f

SHA1
b48fbd49ac6ade439547aa6ac45db7a230d08560

SHA256
00e98c7fdc405a54296f9ac2922efd37c51578bef091dd491b1fd8b11aae63ac

SHA512
314dd7966917d45cbbb0d51d097ef60b76575d96bd1bd8b901740694c6ddbee09ded72bc0b30691893954c381815b2b586ae3cf8f48e5bf035e760b5b2647277

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
cf1414632f8c987f9e156d5f7c2f33d1

SHA1
e5eb8d26f36254b97bdee0e4e949966df9a5df45

SHA256
2c68aaf106d41682cf33707cb9b90262b7bd709a8a5c078edaa10a8206c08b2b

SHA512
ae33eec71eb9ee2fad4058b77c536cb03c070c501f43644fcfae4d29771301ea842cee0fac6f180d1f4a3897c0e1b049b52377c937619802e6a478c3557435fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
4d4de095d9265432b33f81227a6cb1ea

SHA1
90d0db38aacede87fdd721eb2d27e970c68c9ebf

SHA256
4a79f10002f3338670c18c5ffff7b9bac569091d0f18bacd3d4f2c475e1527d2

SHA512
485f3fe88e55eb5a8ac6ee16bd67dd700a7455a013fa8b5ccefb734e01fa8a36d3386b66e20e2287632795021dc4f26d74950676888a151cd4b4f6dc41b45177

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
f1b5ba173a9bc115d3775fe6b9df0108

SHA1
5d8e6c4cf939f0edce3a769ed514ad8ab826658a

SHA256
145e20b8f7bca31c5dd0fbc0783440768a17654b182c16e8bd3bd979d3d571ee

SHA512
2465eb517404ec1c13056c6aabc933dafce530cfb6923be4263fdf9b6d76cb17dac945cfbb2a2165194a153252ad7bfbf06083a79551a96f4fe18ab8d6704d63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
386c70fbbcec76b9af1a80744a6d4270

SHA1
a411bf6b7025c1c0ac4fb64ced14050131ecf322

SHA256
30c1381fafb67cc6b21aaf03b189510d78c9156522dda0334910e86c729e5c26

SHA512
d22249d75ce0cd0db8e0c5660f1879821a4237e5fec3a67e9c3e3667f678992ec7b036a8d26abb101b30c501fa29b7f07527e599235774a3c4cd4f3e4764cb93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
b128920fe086d2edcb6c20b0daa7e9f6

SHA1
d2047157bd9005241b899ffd40a3ac92dff47368

SHA256
08d099a4564e6ab246cc8de66fa539fd65be412dca83bbb1cc3a0ecde1534f5d

SHA512
c2ece89cc301ba7d0be0174e0284be8206941746912ffbced5f2180aa67c19bd96384f0e65967b516103463611db5f6278c2f4cd4f1abaab89b3f22bd20c3f5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
0da77e3f2d616bca875cc4e8dd9a4cd4

SHA1
c726dd538490976df8eb58d285e016f975fdc19a

SHA256
ce651b63fad7b982304bd1ae7a2be44bc907114b75731d6fd39ee6972444f486

SHA512
1b6b241a23777fc9747a070dfc58537e12d6f30c60aa97f6535fdff30b3f801f459f82a53b1a422ec60a937d9a3377b5555e3130df4710a8da65c3d95e736446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
cc3d0d72529b9185517974a2a5119cc6

SHA1
85784ca676a78284958a381bc30fc9d586889830

SHA256
488c89fda69e5da6985ff8ace33cb62cc6fd1bc6be6036da7ea4201c74251e9d

SHA512
92f9ebfeba77725c73a281f9cd15d6a40b4c24f331f7315bfec87dacb7cb44b341ca2bddae5560364587a744e595e31893cc0198296f4018eb6303b0cdc81ee6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
ad0a8083428efe6a27d86f71e280d621

SHA1
e8fce53d125690ab50177628ee674e4773dfffac

SHA256
a92f73e2cf58650c270d213f1241db0fbe7bc3defb25b1da7e120689fbac630d

SHA512
d0a02d7edc5ac8ea433025130a8b1a7ce9bf38e79b9459a7edd02256581a2344b2cf604f248bf4a9d6a1cd1c07847b3506c8e23f0ae30e801d92388273b04797

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
be90d64927ec5bf352aee94ae730fefa

SHA1
6e886262091907e9dade72561e5196699d73e571

SHA256
1d581b74f139ed87becf51165c2b0f3eec0fece98105e9ed82963c6b23093d4a

SHA512
648ba272c3d1ad4f57d9582d59085b0cf8a7049e96b26010c173acb6f4e1431fcabaeeef216a47bb2baa7df2d92c4488f6357c1ecabd263f6f8102ba0090412a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
cb0064b5016609ce8e9ee82b49ba7928

SHA1
978aa38a560b44e658b8afc24d8ce1990dc0ca85

SHA256
e1c3f9eb5ea41eea2806a235c593111caac2383411af081b8a96f9db90c4d3ba

SHA512
26c0db7b881e3d563219c29ffa1f3b0f58dff72a491330060355771ef4962f31863d082d5fe33446bc90fb2f25ab9864bbffbc028fa7002cf42ab9baceb8c8c0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d360e74e9aaa17758ba01b66c2532396

SHA1
b6d38bb05329bef220bd1c0414312fb16a8ddd7e

SHA256
6cd584b2b4d3771074c891776d24b65a2a378cb8978ca97f8189277a9060de6a

SHA512
d3e1fe20ff46b6b02bc2ec10582db4abaf7d87380107ec75819e08dcfe6f21f03e411862edd02b3f52dc8a8c9f1562c5076449beff7bd89e305091ede8d35890

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
038a99176cd4160484faf3ae2e289a8e

SHA1
2c0a70a872af370ac12c4fb82e1d542d2bac0209

SHA256
6f7ffa314a04677d393f024953b2f113854c6259ab9d700540771c26c3a26340

SHA512
b949458c25e67f7a38ac5ac381f392c9c386a34372c07d8db2af53b35ce39bd479e987bafb7ae3f5998a4c709280eb1472579284043babef1ff27ba61a355718

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
6109d0db23ff944093abf9c07724a557

SHA1
ff77cb27f52b1943bc2391263a4815b49ce5f2cb

SHA256
ac5a036daae34119f702378f9b857c30764051b43f7330218ce5861ce4e1a615

SHA512
4f7a3d7d9167547932c611f962b2c021b8029065a190a45933e97b1a4f03a859dc2e2e827a8d609f7da36174b2f2dd401e3c758979d7d28621dea969dfed9fca

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e5a7b6ae516835c2eae9fb20c330a056

SHA1
371e14f57cd4a0418632ff378cc38912f3be8927

SHA256
4094bff93c35289c02635790a9f929f7b5a16a2dc6c228ed75243318407e8560

SHA512
a92d4f4b64eb01b6978358ba2d5562b87aea2771732ca999fa1f856b348b1e2f82e8b27cb53848eccac377a04ed1f264656c5bcb473aecce7c5fbdae886d4715

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ab9fc47646739a63887ae3cfb964251c

SHA1
9c2c152ceeed0cc02530963de0bae9fd6bd780da

SHA256
482e966ec9a7aa82ac175cbdedd4ee1410b69c7072194a80850ea72f72756885

SHA512
050133d7666d9c293fcd86e33b0d26e58b54fa7b9571d3757504cbf2eb191ba27d27cc897eaa74e91241e8e602c63b5787d3aa03b7ead47b6ec328298f1c3b3e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6f352ae177f08fa934c29cef81d70d80

SHA1
9ea9441d6290d700673874f0fd1813742b96c10f

SHA256
ad32b3a341b0fcfd955eea9efd76e383b59cbd33ffe7dccc600d5e8b3b48d6e1

SHA512
1e8b1e79185bda6dae2e2830ae561dd365baedf11395553efb3c2c1bcf1de7eac0523d23418c7b3d5dd63d85fab3d7bd68342b8548c16fe3e30e6cb94709f1aa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a404e4488fcd98f103769680ab9a5b47

SHA1
c11ff0e2373887a0d25f0bd18eda2be2c9270f56

SHA256
bcede8fce691d1e671817edbcc4705e80133711d81e7fb5f082027c2ef9aec51

SHA512
ed9c44f65574b814b954d8a40a9bf40c65d2202620ac92d83d6aad2b369c742e65d17cf3fa2188cbf1c6dd4f3b740e09d0f087a6672c130f69d56fdb65c65b58

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b6a5f8b61d8b8075b9451d3d82476c65

SHA1
cf3884554d78f3ec57b61ad4d38a68e6085501e4

SHA256
2b68e9931e71c729072f28617dfcca0fc0626a384aa82b7dd1f212f0b599fe33

SHA512
226ddf71b81d44659a106e87304a4b6b051204b8aa1a8b163588bb72193713e81374353c1a0c92ec15dd8f7cd391741b36a5436b8aeda027e3852643a0f7d141

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6c727e93df006d8f7fc0d407b2ddbca4

SHA1
503cb9cf688ed3682fdb21400353ba8c4f987f96

SHA256
b6455c89076b5a53207ecb632faa8ad54c2e82386183e67981e6986ae23a705a

SHA512
097ed48a97a9fffa0ec4239b63fcb18a6a33fc374f31ef8faa2fce6a6e13f6f2c1c17393cbe70be46c3734f688cc39259d33c252a18b7f031d3edbcf8f3e6993

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b6962c76950d31949a6f92c0e334a2d7

SHA1
51ba01b9ed58d6eefd38b8eb2445986bf36307ed

SHA256
af93e501dd6aaa4bd1b95668c9fe3e018b009d7896146c984d42c026416d632a

SHA512
acbca9c4fc19c062b88855c6e1d366b70e67fcebd8c3fba7ecef2287551f2284bbfab65525102d1a7bfe7745b609827cb0b43d79bfab901ab9f91f1068418bbe

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d4e94f1cbe6edfdaf31d540edf91eb50

SHA1
2526e25bac1d6aadb7adaf058fd638d708f6a59b

SHA256
6b63f6303e99270b2abed4b9a94b790a09a60ae92d623285318da4f58d0c360e

SHA512
54c41936704f7a223bdaa8b0ef413c8ba0f4b0af4db08daae78414d32f79828fef836b766cc50a5e00b1e5c9a552f5345668884d6c1f255e627209e4c2485541

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4365ec2cca25bdbcf17aef45a5b3b9f4

SHA1
b98526243997a8b8f648c0e630a6e9a89b18cd5e

SHA256
8a255de7ee80b1bdbacf6480c09d5f50e55cf7d61519e1e67306f4e698014e22

SHA512
8c7f57c04f47aba19147314eb5388007b12d2b219104a47f427d59f9e9a6829d2507c8303a5620fac6a4e1b56ba8e7729b70aa420a3335bb2e5845d4ffe36a58

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
c9bead2c734de34ab0c2bf9a35f1adc6

SHA1
38c339b939e23b39e0c90be38ee1179a2120e612

SHA256
d7025eec1c89654d2b92692fa9a171824da6219b7602748c3200cdbdab4990b5

SHA512
abdb606d9a961bc1a3a5af728fa08d0e3f60cbdb03d03ef9b6edbce69f8983eafefa6d9ccd9176476907bc6202eed7d38af69425bd6ffb80c581ca7759be81f8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
918020c333d7b9044a35bbf15128eb43

SHA1
ee0fdc0d52351036b4dad3a8d4da5a68a90db2ed

SHA256
6462b68626ed8f413743c2a9005a32603942e7ce201b333cfb6b4b31dba8ee74

SHA512
92024e9defe637e5472b6dc6cc02ce91b9974cfaf56363120d69088e99b82d6ccb690ca7a25b8fa6f5ff233d97b55288f839824df5a55d69935c060dd85f38d7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fb47f4536ae28fae590aeaf7f3c53cef

SHA1
946b3f455394a12f0200d3174efad7c6519731e0

SHA256
a369b179e04315998fb163f86e8daef73af8dc6a7755c77b33ebbe42188865b7

SHA512
e69016d09f1acf4c736b44deadc62f358e5c6884ccb7c75fc48b3bc200dc298382888450f191377c978a08b229b443fe1c3af091e45188dfde78b7ccaa335598

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a399911cc3f4e4a1205a2dcab5d63b01

SHA1
c7ef0bd38f6daab6cba5eff001b926ddb2dddb17

SHA256
89fb2b72e0a5b7e235ef2e03d264a6edbde559f1a2203402ad6fbf1ffea2b475

SHA512
7b39b8fc10053993b0cd9ac4342661aef66a372e85418aad0bc81ad3691f21c67ec8b10d2a111cbc9c111b2cb12c8748ac67848c045af012e84b46b2d83a91a3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
ac0190a6b6d5df04e7a94c2b18192027

SHA1
ace7b34ca85c0422abbf600803221d23b9cfc28e

SHA256
e1f734251d53723d20839dec90431f891fb3fdcc18c9c624d35ef0661f59c325

SHA512
c8c7d1fdb222e04c426c1613b33186f6f546fdcef015ebc484aed4ec51126ccaf656059bcd87d1f9f182c6e5f9098bfce225d3cb3a011e8d5b47c479b029c10c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1d40b4f6326d67c4286d4e0675b37275

SHA1
76eaf48b11ef8a2b234d7f81d85d2f101f372192

SHA256
757bc8ed3a7aeba1f94196224693423e870ffad1be0b06ac019fb9186b26a0e3

SHA512
e7532e0e1b93acfac6b5b53dc79d5b25e14deff5355cfb53a700e67c17489f1f27c5133f27bd628b953cc6eab0ca987cd3d393b1a09fd6d544fefe1daf8f4a86

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
6e3723899e1ef829b226748994a3bd33

SHA1
fff96bb24a10c1a6567dc8f548ee1c8867866f75

SHA256
4c48b5475b7098a1062aaf1ba3461c2de2db87e7ebc3daa22909077c08dd1206

SHA512
7607569e30e766769897bf10b3f6f764f2a0eed885c3d5cd298fc81cf98b5a554137dfc948fcf1fceaa7534e78176b5dc68c5db1d39662d50c385869653e7ac9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35eebdaa29b5a702e3bdac208eca4a7a

SHA1
16b42f05590cb204d3408ca25e095ea34788bf5f

SHA256
1d9fec5071040658403e8076863470d58e0dffa2d56c86554685fc0a082c48e6

SHA512
a1a9453996e5cb1f011f7b1903af02a7a4f0715e3102acdc6d54074ada4ab6cbd87b37cf15ec157b48fb36d29d6e2aefebed0c1d2b88d8bd6fcbfb2653d086fa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7e6dddabf5d34a634db068ee9944ae6a

SHA1
d936ed8b0ce1432ed52a047f8b4787fb4bfceb65

SHA256
cbea595bd6ebb1ab9353493186f3e4e165f98fe364a46cb31b99aaa2742d0657

SHA512
b9bdfad1b749e8fd943e915f1b7496529cb1c6e6f344dfbd3b0036f378e23564ad19ea9991a7f54e01af606f498c4b772c643034a17ed1bfb895f84b4f1d4ff8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
77dfe2603cd21569384fabe3a1a10c20

SHA1
9564c67357911714e074ffe6a69e9a0c03793813

SHA256
c1900dbc31918e1efd5ce46c112ae82eb8043aefc6c3b3f035aad5583b0d42ed

SHA512
9e1805c5162c16e747361060ce73038cae6ed18552429e8c5b7c2c5f0a36f171f33cb3dce8bbcc7ba59e44f618d18ca013843ae5c77345fd4a77a3be6ceda055

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
bce533849973d5c31abba4cf2cc27512

SHA1
13843148b4f55db7c5520c8bc98f70c0d146123b

SHA256
c4cbb320b1ab70fc1702c8bf0dd1f986fd22b93e6fde30f61711cf32a8e4def7

SHA512
f246c05b2e1183f41e07b67df1b72a99fdcc6dc8717c1478abe92570533706fb55ead6c561ee66fb9074eba410faa6668415ecea01cd779b35b70514ee71fd3f

Download Submit
memory/208-278-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/208-666-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1040-153-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1184-667-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1184-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1360-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1408-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1408-662-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1408-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1408-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-661-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1480-59-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1480-53-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1480-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1856-518-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1856-74-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1856-521-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1856-0-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1856-8-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1856-9-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2208-154-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2288-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2288-665-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2392-268-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2440-280-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2864-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2960-13-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2960-22-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2960-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2960-110-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3016-48-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3016-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3016-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3016-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3016-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3148-269-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3564-265-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3992-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-660-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4040-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4140-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4140-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4140-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4140-81-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4140-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4404-90-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4404-100-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4452-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4452-35-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4452-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4860-271-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5060-270-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download