c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
Size

1.5MB
MD5

65fb306ca9fe5b8b664fbd60c7b0cf04
SHA1

c2647fa43b36ecd021b7cca3cf0629f754314284
SHA256

c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456
SHA512

40d7153069683d2c1b7db9883f8070a65c96117bb37a055790b5ffba3417a38a5b3ed502d86b0f709c017359d46640ddbd8c48db0edfcf5a6e88f86685b76e30
SSDEEP

24576:+z2DWn8S+LbzQkWWbCzLLB+lMP1NFzSRY:g8FD5nb2LLPrFmRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3396	alg.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
4024	fxssvc.exe
4164	elevation_service.exe
2420	elevation_service.exe
2260	maintenanceservice.exe
2588	msdtc.exe
4680	OSE.EXE
3984	PerceptionSimulationService.exe
2852	perfhost.exe
3044	locator.exe
3772	SensorDataService.exe
532	snmptrap.exe
3860	spectrum.exe
4044	ssh-agent.exe
5008	TieringEngineService.exe
1088	AgentService.exe
3704	vds.exe
4888	vssvc.exe
3680	wbengine.exe
2876	WmiApSrv.exe
4104	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\locator.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\63d033914bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043a0494b8ecada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5ef384b8ecada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005043714c8ecada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e955844c8ecada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007a1d04c8ecada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002657654c8ecada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073b43d4b8ecada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000881a894c8ecada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000da3b14c8ecada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1008	c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
Token: SeAuditPrivilege	4024	fxssvc.exe
Token: SeRestorePrivilege	5008	TieringEngineService.exe
Token: SeManageVolumePrivilege	5008	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1088	AgentService.exe
Token: SeBackupPrivilege	4888	vssvc.exe
Token: SeRestorePrivilege	4888	vssvc.exe
Token: SeAuditPrivilege	4888	vssvc.exe
Token: SeBackupPrivilege	3680	wbengine.exe
Token: SeRestorePrivilege	3680	wbengine.exe
Token: SeSecurityPrivilege	3680	wbengine.exe
Token: 33	4104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeDebugPrivilege	3396	alg.exe
Token: SeDebugPrivilege	3396	alg.exe
Token: SeDebugPrivilege	3396	alg.exe
Token: SeDebugPrivilege	1576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 896	4104	SearchIndexer.exe	113
PID 4104 wrote to memory of 896	4104	SearchIndexer.exe	113
PID 4104 wrote to memory of 4984	4104	SearchIndexer.exe	114
PID 4104 wrote to memory of 4984	4104	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe
"C:\Users\Admin\AppData\Local\Temp\c149fd190866aa3392d55d0de94c6ec9cafa97e8954c11528a9a119bdc243456.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2420

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2588

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6e6b3ba89576c632fd2d67959f8e1a4c

SHA1
383895e66819bac3f0a1fab7489161aac6e6a509

SHA256
c90e81f8f1e246ccdd5ea95c4c08e97cd0d6f68e3591b36c2d28ea695244c618

SHA512
e06db11aeb218eda0a7900bdc63f1e5fa25855a07fd52c9e85df13bc0f9245d5ae6f3bb4d51b80ce5cadbac31f343d7264565de53510b55deba884af55a34da1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
a0586ae966083ff3165efbe1755d1175

SHA1
d5b5362543d75c9c9b4ed64756a247dffef71d71

SHA256
6d3399ea62e2ea9fb2f3572fd561eebfe41f6df6c476707789c01ff34025394f

SHA512
227f6b8b47c8b74a9408bc72fc65b8690350aa741495130979bf02eeb678a4a44d3c3fb0c2590aa12b06bd4b69f1d5e8498549f93bb527fc11793aa39d3dd4f5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7025f3a55513fe77f6cf9f1ce87a2e79

SHA1
03fb515337ea5109d124a5db68ffca3d474ac96e

SHA256
25c47665acb4ca5d6d444d7719b74fd5147b89c7afcf971a2cce15cbeebc5c28

SHA512
e9ec7dc235e792db0e0153700f8c561e9f8465befa0589e54af2766fa29d380a5477e6bb7227ddf3d03fe40badd7c40cf5d131bfb41bb14c60b53837aa35c483

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c9971c5364f86d15cc21798e9709f4b5

SHA1
f880a8771a63474ae16d725f7643e770ac6d53a2

SHA256
3e3b3422dc7b1a3a42557dcbfbc3380e2581d6a81b0d17075747774ac716a46a

SHA512
08a29947daae3a3837b42b409d8345d249d2366a02ba5ddeb8a1a757de739009ca6237e076db51d5e1b5235a66e1cb8ef2c9b1e60b68183af646eb2c76303009

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fde78f809abe29e295b9614ba2987108

SHA1
a32bba55e98ba21bdd90dad065683062dbb35c0a

SHA256
10ccd8ba81ba30ffbd8bb281afa92ba63e8834f55a3ef3d7250cfcf3f2b5ede4

SHA512
da755665cb98dcf37b399cd503a3ca5936110d12a45bedc614c5bdeb733d0e2abb42d968b8d8474d84f8ebab2c4f26f124ddd5daed95b0b0092721972fd38ff1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
6438310f7285d2b9dd6f7799728318d3

SHA1
5bdd908a06539c6622df13cbfc890ab8856fcb82

SHA256
e4398ccd644b5ec4ac810fbd26aaa5b9d5889fa1c67a53f79f3f9ee29f239d27

SHA512
14787a65beb77b8ca2b693a22de7f8f93203ce08d3c397bd9b30ed5ab2e01bc0165088ff7bd4a9c2c41cc4fcde5cea5373f1399d8508487b259b34498fbf002f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
f82b8611841ac56599839a3c0a15f15b

SHA1
21a061edd1af6b7c058c641fb036e7b98c1c9285

SHA256
b1e53b46ad66a1955fa9ea16700ea4b388d3fe356e5dbdda5e7d14021c472a12

SHA512
3017b61b6593c5aa5785e69ba50b95d590d4138f3634d3f289716a4009ae497d08dd8b7a00d9f5f018a45091b76617241dbbb42e4a3797b195964c970b0379a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9ce18dc6ecb58fa099573b40865ecb98

SHA1
e36a52e087cd22d5ae560cfc27063a260cc78736

SHA256
35999fd2153bb978d0ecd409c56cd7c8784f9fe6150fd9dabbc5f48977ea5b85

SHA512
d3cdacebf352e81907165b3cf3fa7595a0e925a4829a7bbb69e79f3fcbe245dfae999f644f4deee6f20ec5e2257eded8691c78d87920c56f6f2c9b748879941a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
67c5a5e08803931d18c77afc3d030d3b

SHA1
3d4c7a206b11bf49b85153f606066d7f2dd8b614

SHA256
55bcff0d96ab70ffc9441e651d456a0ede7804af6a57d9a47182a9e447fcb687

SHA512
b71dd86a609239ffcc546b3f7c9dcc291a8f248bce461390cbc21f8d2422af13f3334834f1a6006faee87d0fb67125bdd07131afa54925bd74c14288f197ae64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a2a37b7614cf4578dc3d6e91767ff5c3

SHA1
1fcefe4f34338cbcb5cb3c4a705861b1fe26a747

SHA256
53412c47c0f2b2fdf743dfe29dd039425c9b4456843c7e39ea4ba49c94298d23

SHA512
9fe10e463dc0e97127a8554a246aaafe30a41e2adbd5595558f48239a184428f8eb53729769869aca2cd446f64c329ab77874d2a040b00bbde69c43f247b1c9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c7a1bf89a9a47984bccf240aadc6cfde

SHA1
de42d6591f5187c74e8283634f00801c505bc33a

SHA256
54a61e8d8a5e33a0098155ead2f8950207750186e63aa2d8fbdd27334d825b73

SHA512
d77c0072c25f84f9eadfff8af7fd2e228c57ac02624f589dddb7a02e74fb3d31112944276fc6c27a455b1d26412fa053c29fbda925950001f2e3442c7892f659

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9d9e5b01546cdd4d5965afb17c13129f

SHA1
7c07bb24cbfc8c08dbe115c506c9aa0bfc9e2090

SHA256
d56406e39ca6706a3a3497e8ce88550ae49f16ae3cad127cceb517c08dbf8474

SHA512
d28ac9cba296fce9590f9c01876b31355dc0e8f81589f374afa3c3d384b49c2d23b48f36cf20b2601ae649eab7c7550396eb394fe0b51a96525db123f19dcbca

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
2a185339bc2be6b17e866ff09c4bc7b7

SHA1
7e075d3a2a0a5f6ad0e1920a43eddc36cb5d6645

SHA256
b743d9a77f2d97294840654742f20d1c88352b64ece1dcecaf05dd09ad08a550

SHA512
64341c449534bfd730d3cc12037d9868e6fab3c150dac1716ed3a24c2e6d9b4c0551f453de1d24b6a720eddff5d2ca9f9ba1c931939fa533b68b2fbe383d30c0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
0655db8ec1a72dda83e90c7d97f70c00

SHA1
70360b4faa43f0988fc77099581878f5a35f59f2

SHA256
2fc76db8561aa6b106d15a09769ccf3c349737ce95249bfb79c997a55aec167c

SHA512
24b18f98cbf1029c56492ded3c1762416818fb30848c91a95074f988793da72037d965260dd23dde12c70eb214c61cb8502e43d9d0e1a12d0d6406e9a169ff49

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e16148b8d0d1f28d824da2d21915c674

SHA1
352b47d842f02384c3018e030e1863501c987b31

SHA256
ca1aedf698aca746deafaa47ba66e26f4fdedc6147a0f1c2fdeb5427d80ccea0

SHA512
5bac84296685153408f21dee1f9e76b9420c3c3fd2fccd2739acc462ab4dafd47721f3066544567eabc966276a3e74251459a93c6fb96b50c58ae92246ed4052

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c6a760f20acda478a5ee6856583662a0

SHA1
e241629a797736bc66cf52cf3e535265b1a43a37

SHA256
35b069d218a3c950061288c1e98859f02500fd769898c266a686deff540e2e90

SHA512
3b908e1d4c2215825fa845197abdc18bed21a817ed921c37639ef77fa23a6b7240ba1bdeb1b08f6b4f70c4e99641564dea1e6ce6ba70db98ee6970b760056e23

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
22e8364b2805f8d0d3fc10e9e9530622

SHA1
e87678ee0abc501b87fc51b1368cbe096ebeebe9

SHA256
7ee9d929c7c95b49fdc7d8c74772bea0e1219b751e9fcfec78e0a912e5e77912

SHA512
8720002cd93754f64cfc3f0648c8e3c64de52985438956d5559b7ac2340db6cc7f329855b616192515e9f71ec3f8bc686d438ff3a7b7a981241cfa61598f43c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
36d317054a95129dcd4f393870cb4ac5

SHA1
66638ac2cc74398cef0b014e88c3a35498adb241

SHA256
ebfaea096a87a7cef4bfbca71954e78c4784b6eaa03159015c5928cfd45a557f

SHA512
0a79b7f472a9cac7a04a1078ad07d67c104935520ef7d23ff0a204a0c00f134b6b56b88ed5e16d869dd1a143f0e3c2efda0fbea4b6b41a909b160d700a5aff05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5fbaccfdccca16271777943beb23fa2a

SHA1
eac3bb37c165188e6001df36a6336bf771032430

SHA256
0f761a0832324b4cb78f7da06d0cf6c00c260cac9565b5b156d763ce5bc1f32d

SHA512
5e7ae834add67293bd14a9b7fa9c1f13f63316e94b32efccaaf3639e4d56752ee9de8490ceee7282c9bd5ce08e479becf35568b99d5de038483f49984536742b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
736b3073c1bb7fa6bde94b93878b3632

SHA1
df7069851c0fa3b0d853951a1f213a16f12fde06

SHA256
0db915714d47d9fbcd73f5d4e5b9af9afa4cba87fe97a8ef43440ed1fdf8afd9

SHA512
63488255234d36e3858c5ef9490f6a2402145e1a267e8e16fa66d9e7b242edf33e549f4afa79a8f7a012aa82d78a29543e70d962552efc4a0a90d6d6d715abdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
ae6523a40293bad09da8a445288ec916

SHA1
1e8c6250a9460029e2a98cb3cef4eca15cffdb05

SHA256
6a926d518835cb8563b87cc255d6be867b5e5b7995eaafa3d53fd69492e2233b

SHA512
fcfe807b4939fa4c1c99db1449fd0f8a0b06c039d0d44fdebdcffb6b6f8178d7f170bc7df3e8bbe96d21d0468f5c511d3888b11d21bfe8dbb82bf97e2b0494ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b96b1fe1b1706768a415fcb8c3d5a263

SHA1
58efc38bbc7b6db0f83329182e8d03a2f3cee853

SHA256
199eb0cf01b6eacf19057b7c3fdc9d7fb90524726f3a0cc2c1f7428cd349b8a6

SHA512
c5db6edae1df230b3e8cd5e036b7327732aa9d91454beff6c89727a9b61cdec4af085882264c9a2bd039c74ea372fbf15e087e247308ee6acb9239dd68e32659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c060cf7b6eef1ecfa47753032034f199

SHA1
cccc125c7804f1689b59478a4c40be8bc17baa34

SHA256
9e44d4628bd704757ff8057ff1761d484803aa22d39144f52dab48dc7b6f3937

SHA512
4491bf260d36b43c2f44098b4b632e3439a754f67b2218da68c0525305fcff202706e74a22e88bc2d15b1ffe1eb6300540a56c5186038c76724df4944c6fefc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
5b9112e383b537dbbf3a2e5ad7c1b265

SHA1
557de8f79024fd21ded263b1347bcca0a71cb502

SHA256
7f878fad6afd2b2b880b36085d2c6cfbab9a5b55633123546760773c69f8c19b

SHA512
5f22d74ee65ead89422b99a96482aba716efacc1aa539f30cb3cb1a2112e36f4c97a8a12cf7ebaafc1cb317d40a11ab130c358724e3d56100c25b4d2accbeaf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
c92ee7af2667eb6be8c1aa4594ac2c99

SHA1
78f7d45ee07d44859a337d34900a2cdc83b4d000

SHA256
af77e16ec8b76ae70707d7af7da269be65093b6d2535630f4a1a0026034043c4

SHA512
5ff08922fcbb5c7bb97f8849ae5854ab7e4af1c062e6e46bc929f323d68bb99078cd687b99ee0d800ccdcdef945bf94ca0ec4efa22fd0a0bc5bce0d0402a0dfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
53e73098ed3e5c1eef54c7c3fb41e1a3

SHA1
d0ba1f29ae1158ae54ba308888010198338a38cc

SHA256
3d770be2257812fa2150b880d22d2709992528b53df89a36180411bac32aadbf

SHA512
02cc15a12130130f5e8a4ab783f3b9a9a06c51e173c7122dcf2d5640159308a8fbe4ef29e8d73ea569d2f9ab0fa8f198f7011618b47d0d2e7570871e6c945705

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
9635397ba1dba476c8afb76cdb8b511d

SHA1
d7586bd1ab6c4fbe73c971d57cafa745cabc050a

SHA256
47e12651d4554621ff052b87091a4b16ebf52ebb0514e6f42951cf11d0dc1bbe

SHA512
de6c43b9e1d898bb3e51af8e9cd9cff41dbe446706131594736ebf64168c0749b5a730a55d0939b39effdb902fff229faf02d8cee0be557203ce03c302433b55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
39ee995f5b32b04116b3642388ea9c73

SHA1
03a450b42d3d40123d8108c69e8d177661201bc5

SHA256
2a7d564e74f0f1a8cb5fa5ffa2719d349c1d7ed6345f691e2cee928f64be26c1

SHA512
a9789f1cc275202b558787a1b9cd33ab2ca1dfa2258bc272dc28c7958c975be81951d39eb5eef69d9685ae99d1e09b8e676a3cb15334f7b5be16cfc3eab0b140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
90a2b8b0d11959e4daf74184c4f109dc

SHA1
84a8fdcf1bd57dadeb72887e89efb5f75848401e

SHA256
b853f82bba907958e5b31356eb7c0789e2888c063058362abfdc1b60d72651bb

SHA512
d8169644e1d8134622ec211598447fa943d69b0c5f61094b86ac64ebc012a0adca6b5ba3468ac5c0985271439d0cbde1b27d0d7953d4298391aca7ecf6f3489f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
71aebaf2d7ac2c19305ac455c08558a0

SHA1
7b6b912bf7982960129f3b7fd4b2d23ddf014455

SHA256
d1d5608b73adbb62ff2aad67c731d27ce4aa4ef66a7671eaa766fab4a7323df8

SHA512
c3804000dd8ede40eece1086a20dea2dbde88d8ab4301f1d2a6493b45257b9335eac4d5f0cfd51c8d76dff44b0917574a0bb3e6493bb8f574f5819330a66131e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
cab4424556fb1b625e59d9b8c91955da

SHA1
e2bedc0b612f18dec055ca15e57035dc3e6a9971

SHA256
0fbfd9bd01bc38d5d74cabad7bb0f22f5e6445ec04c72c9d6eca4dcc6524d67d

SHA512
450a47f39437d4a599f3f21dbeb96813cac38fe4d1bc877b9e3cec8cac6aee5398aa33d7bc22b636d691b7d8dd816fb193d0979e5e1f869eb9ab34f54c842b7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
c0950fa1fefebbf0e0324fc0a8e6d115

SHA1
d09f0b32c5c907323fe7054b98454754be1f168f

SHA256
d168b2101ecf83117d2119fc8a643d05b786a5f935af79f0ecf7b71b0fa8e499

SHA512
811c471accf6c3f2960977fbeb216389cc844ac6899939116eb85aeea7b8a4e98f61c93efab18b1817c84ae0e2420375c952ef8dcb72d12995a439d40a4bd3ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
b594509ffcc5a311490bb1e5c38b20a3

SHA1
5b84de38120317deb7515e9ce2e9bee081e7d56c

SHA256
c4a803d6f3e16a3ac5576d4ca3c1c70ccc96256a375ce16e24b7420c97f5314b

SHA512
f6e86761d4c943c6b61d4f8f057b3e4386b25881bc4bb70f12e265a565abab6150a95dfbbaca494d4d7ec799ab88e1027ca2357e5161485989a70d86f918467d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
958bfd1f227a2f15ac789fd1c42c4b32

SHA1
edf97b49787286cced19911a4ce9e073dcd7af00

SHA256
d65f610a6a249c0b84b98612de3fa8cfbf0b8b09690597a6f5ee14c1717c4b42

SHA512
eada68c503e55672f4138a91f6a13befc25216fe4f7d94f5bce65dface1c2ef63521c91458fa1eee7deeab35feb747155164ed2457d996ebf60b164fc14e01d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
951a4cf8fca58815ebc52ea6d1af3326

SHA1
335467afc5b7725e6e2c6f60ad2dba3a21c6daf8

SHA256
ffb776f0712aee7d75a74dbad8f627418b268f5dd3f5fe6851fc5191953378c7

SHA512
a5cb226efc13f0d3a7881193aa601ec770df7d8405157020daf66ebba39927ae5fac3639f6a10046ac2a1f4b0ebd308a89163f7ea4f94871a3e003dd67e6c766

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c978882de9346fa82f8360ddcca6c105

SHA1
f35bb62c50e16ae3762dafcdf0687ff782fe7e18

SHA256
87f45a21a7513133123a75b7223e0b517107b392a2218cb988898088c32800f4

SHA512
34ad8cdec314e184c7e4aa5eb33521b33b50adc748a0a7e2a47388288772b3c830f78bb7961b92ead6c0a0134faa2dcf0875ffb1ee5daa6319b9e5362876a25d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
6072279efe291ab93ffac7bb084ba2b7

SHA1
b0c5fa6f8247b426bd42fc52c0cdf83ead30a9d0

SHA256
46b5f775724c8932cbda462b440e166e5bd009981e9b4e11159ae9d5d538f1b0

SHA512
5d94aff643440dd8b477287451e1ef001a28b5764796a3385631a9660761db51e993c4e34663b32a2a48cbaee4ea97e08d989956a4f95c1fd4dad439d1a8acf0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a9c7852e5c7cc4cc29908488bfa55048

SHA1
4f02728cd2ec7a47426a7be012916c6d2e59cbf3

SHA256
b20b7f239591e97600cf445cf1675a3338c4662274710520e06caab7bfd62e31

SHA512
4d01fdd4ede9f9d4356d708280fe6230722f1ad6551f261dfdec62b915f5c23d1ab8027f40f07547b52e61dca613965a924bef31a285af0e5b0c8866b5e3d8f9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
62c86ef525d0ad6ab880d7e12ce67db4

SHA1
39d6084bf615d63a1ed395c02ffb3a911dbd4714

SHA256
b5b9dba3acd5c39ca6607e2866da83ebd0f69770faf882440ac744ec0c6fe3f8

SHA512
ccfeac41d17621d87f7363ecd6bddfff86feed3be977fe7e4b262c6d8f00b358d3fdf43b36918e155331ddd2de9447e6d834c3d8371cbb880e7ddefc7796b8ad

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
324ec7a2f687a92588c929a0cfe009b6

SHA1
cee576604b2d5ffbf7e5dcfedf618e8eb05214bf

SHA256
5535fa070c158485e2c10b8c107b6cf0b12ac4b8e147699424b55283864e3d94

SHA512
0a2ee72ad425557e0abb6b537873fff23cf24e6a442bd735a5a1913c65f111d689f853a51f9cc7598d6b1c42c836a72e4bc560bb8f0fd7ea0e222597947f0f6e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aef77dd9abeb4dd7ea69976265c6181c

SHA1
0c1edac8a49b1fd9f96127acc688fd64502129e1

SHA256
30542d42aefb459cc363ea99d725d1c830adecce625ba4714ac70ce2c19f3e5c

SHA512
ff485f6f3f9ee32a75a1045751f75944724e11331c9749c030319f83b544207cce6b1abd693eecfdf8df16f45cebc00790e932c035ed1ca237eb15e835e49eee

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
61b1d14cef8c46288cb1137a3ab38b89

SHA1
ae620c573ee2a6b474f2ab555cd99b1ab7c24584

SHA256
1b96e2051d9de0fe1b16a89c07f047c4e494dd50b82233cb8b8098d0c3683bf2

SHA512
c075b1bdf413eb8cb727e977ad3d87fdbce260d817512cf2e02ff23640038b42c4b81e59834baf23524e8863144a0fea22ee0b5a4d3cb8089b2f464ace029152

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c7a1a88b31ad56278c6f5f3b078b7a38

SHA1
f2f6074106ffb1f936480ea953e3b46725c5cffd

SHA256
b502286373551db34c3ab1febd45e96af9caf122fd0f2df2a8271c2c70f69590

SHA512
2ea4ec39804c7af2c9d66771e369768646bbcf1eb736d5911007c1c58f2adb2b839f25959dce27e2ef465100b89952c33e720f81e07fa51c8d1445d38171fd22

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
e95c25457dcac883ccefd0c4e8e5cef0

SHA1
10aad306faad3e8ae7f35dc5968f66b0ba078597

SHA256
d9c72a577a0ecfb5e28259131bbfc5f087848c4e2aaa53f4d17e386335327f18

SHA512
ea6911269e1d77d4fd337f691068d0a12d2af178e777f794746924667874ae236ae4449094bbede51e1e913b5d65cd1e26163d3d4bbd1019a19f029d34701631

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
268361df8bf9c59711aac53a5ca1ece3

SHA1
893e43afd7a416ba11aaaf7954685de58e78198d

SHA256
89c8f471f522b0b501d92c89847791bf661ffa185fe17237d8a878b875819ef4

SHA512
74b29bbc927b677c1fc1e99aa2325dc7e0e501e44f7ab49ae0c7127a4f033ed13cd96b78da643e7ac24b0cb17842a7e709a504080c3eb785abebd59f98b09758

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
d2a50fc9d3977ff821363366760ea3e1

SHA1
ff82a94cb978b2a4525f9768803f1c398676d86c

SHA256
11b1a11e3b4f56d93ba83e62e125c42ab846774162c6c20d17d23d170b02130e

SHA512
d9f13d13f2abebbdae0d4cb596f503d117c9081591a2633b6ab98ed00905f21d0d888c9e5ba75c80165fdb4809f7d02c416b130a2d654f60a2b7b5d44bc53e97

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ffaf5b59de7104a24e1ff22b682d0ca7

SHA1
254cdbf2ec588ac8c0f78a9a4519009c392f04cf

SHA256
67136fe1c7cdddb31d4b324ea84ba53f76062c9caebf10702ffd2b86729aa390

SHA512
808b8e0e99ceb231d2c2a111832b7cc0e28592d994714966cfec8b2beb50f2833af627514a5334df57df468277a642fed6ef745bdcd3e60a8658296a28545228

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7db358b3428e5a33087727e3f0a41502

SHA1
95c570acf28f6ef3ffcdfc71c98d7fe05486e884

SHA256
91a6b8b1ca55ca8852bed548629e7c835fa58811b48f2bcbfa464812a60f87d3

SHA512
873bc84871700350de6f0324b5d9350e0d9ea5e34dc2caabfaca8a2fafd8a4030338b6c495c510c4ee96ff6869bfc3d2256858bf027a7c4b4a52600a259a0f5c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5dffef38f947f945f3c1935c3d74a7b7

SHA1
65b5e39bb6b41861199af0e5958b7115ba06092a

SHA256
e839cd1727ecdaf46ee45d9d463c3c9eea6afecdef6b29c3b36c7f38ca496e70

SHA512
f49e106aaa1b83f0cd0d5ee80caa01f16ea199e7ae526d7b7734f90102de0bbf633a25ab843a0605b0f96e49e3d3a91f32446a1676a3cc6e8e1ade82c1f48cef

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b391cf122bc62aa8b35262d86e2e78a0

SHA1
a847f044047330b9239cd4c08e3304b93d8965f3

SHA256
63b91cc7d1a8b33468a82e8b1fefa6ea9ef647d52c6fc0b4aecbe5f2deed43ea

SHA512
09f3ce8330ccda2b2c685078e5785f4f6c3a6d30ebed84bc208284a8f91fc936f01e37ee3724813a84886b69aae517c94ef0786a7a539c51cc1bd60ad283d5ce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a7d2d0b4d1927e1fdd62539d7b9bbc60

SHA1
107c32948c50a9dfc38ce2d04f8241cf91dd34bb

SHA256
b01374ac5223123a630f1cd32663c21a79f24d5271dccb065a335ecf4509fb95

SHA512
84d346095d3505edb1533a917351a8f11a1f4b0329e72b10fc8e16a333ac91d597e8e88a0b279d7275e597c3ef6fc69b86d3379f269897de495c0e98dc25ffba

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
541ec074ab32d1723a2c2c9bf870d47c

SHA1
066a17cdf8787632e908c87bf5dba21314920bee

SHA256
06528bc1f48a127c5d4a2da4bde6923313bcfd0ca791d55784bc3737bad24ee9

SHA512
8e8c01735077d42de3a0679325a5bc97312de1bfa929bb609e78a40097fcaab6abe359192a53dd12afc72e37f8a74b58c23b238dccdfd4a3902cb8960ba70afd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ba14c31109b5de78db7eb46352a5c5a4

SHA1
1d409ab3601fe4ed36b474207ab680632cf2b537

SHA256
ca80b01448d238fba2f884448c99435691e3bc188f3322fb66752ac4809b6d81

SHA512
cf140404024b64e6139d8091ab09d80767a67f7dcee2b4be56e0afd5c2fbd9e0e0c0534019887801512178b029a9e668cd84981092a111ae1c61c26bb8730166

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
768c5d930473393070ba6ac6885d91a6

SHA1
8b928f30e4f363193bb55655cecf3a71d3d2ee74

SHA256
79a626a39cac2992c2f7936930ec95c6d52a5f4fb7371fd6b46ae29e2391910d

SHA512
dd9640d4584d48fd661a758321e6b07e0c8213a80d252ce4f83f56900ceb56593d1545d483f962ff94e5e1bc328d0528372c6080730f8a05d5f7938b7e1a658f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e66dec1d5758214e96e418aaa82e25c6

SHA1
192193b6b5254912ee12c03715aae2f2f57e650b

SHA256
0baecafdda868d09cd7aae5d9058fdfbd338ed61396e5a6c2fe7c792c5706833

SHA512
9ec5b7487e283ac1b5cc2fa140037880f433a960cbef7f6d7313493f85a8f3c275ff3c337b4f9e1989bd397c9be79c1c86425aba409f038dea54f821c967ebbd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4323e9c7f739db640a9e8126d68e2c5f

SHA1
a3ea691cdf7c73a0a09d067efe4d3dee847211e1

SHA256
02e27446797749ce4eb133119889117cd649293ef2032f533fd5549fe734ebfe

SHA512
4ebbf0cf6b7cdc665118b897ec5400ce4a0212a07953f16f8e34acf3cad3cd9b7b04c067b02285733a19a060b48585cd3c3d3c81d65b77544d0ef7d949836e00

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9e248a08fa162ec609edb123ff60e00d

SHA1
d4034cbdb7ade0be437a4342dbdf84a366a9c877

SHA256
b556d8e69af3e62190392c458a70cf0bb447a3bf40708346425f11c341885540

SHA512
3a739958640597656fcc6d9f6138b29182952d1302954ca908bf1f6cb30badb1ab58dea4d6e3003eccbe038d062c906d4a8fb47fd70969cffa7d00d296fa805d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a9653ace49c92bf8065aac1bff9b7ea4

SHA1
f6b0439d90b69ab7aca44270ecab7c0bed98055b

SHA256
cb9a96c74437212531531df7ba674405b6367a4f73404e303e298945801e8248

SHA512
f7d5bd75d27b808cd315d3967b819d03408d669d14687f581764cecae805146e1e4496f7cb68a5d922cbf31f2c802b3b97db3b348d277513611939b790c92bf3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
910913f9b0ac9328b4f800e20fcf2ac3

SHA1
0b09f4c2b91fa1a969b390e935fa13783ba9fb7a

SHA256
950a2da66ff4c3f241274841f340ed2e37f44dad9127a3fa0f5c52e3b1312c38

SHA512
d8e50863e262f06642b5e606c8df7dd2a70f37ad6cb1f3d0abb6ee29e3b39be076bcd3656dbff6e758e83f08c390964248b56a5f1c0414ca5cf9767cbd96ee61

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
fb4ae83198193e0080e08c50e1184d28

SHA1
d1907aeb21ee69193f9d4f26bb661b09b1c89280

SHA256
aae19d5b9c0f6ccfb11ffc3680fb54becbbc9f952b5321e3abdcf0072c022e5e

SHA512
ce6c14b1e0c152eccdd6c381d992b9c0c6bfc1cb6e2571c938a4d55f395c252887a7b5440b85beff91e72594ef2872539061875d5ee34017015b005724a52ac7

Download Submit
memory/532-455-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/532-170-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1008-479-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/1008-6-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1008-89-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1008-9-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/1008-1-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/1008-481-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1088-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1088-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1576-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1576-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1576-138-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1576-27-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2260-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2260-80-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2260-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2260-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2260-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2420-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2420-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2420-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2420-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2588-209-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2588-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2588-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2852-248-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2852-136-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2876-648-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2876-261-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3044-260-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3044-147-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3396-127-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3396-22-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3396-13-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3396-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3680-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3680-647-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3704-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3704-644-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3772-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3772-638-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3772-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3860-635-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3860-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3984-122-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3984-236-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4024-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4024-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4024-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4024-59-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4024-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4044-187-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4044-639-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4104-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4104-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-56-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4164-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4164-50-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4164-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4680-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4680-223-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4888-645-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4888-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5008-198-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5008-641-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download