af4cf62c313e285d32a7e5be2d5ecbaef36807a1521f60559b55fb704123966b

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ac20b07d6abd25e39dfa1763666ed2.exe
Size

712KB
MD5

74ac20b07d6abd25e39dfa1763666ed2
SHA1

ec831c81bbafd54cf9f5bc0d5a213cdf204bc434
SHA256

af4cf62c313e285d32a7e5be2d5ecbaef36807a1521f60559b55fb704123966b
SHA512

edbc08f6e7c403faace893071684e853cf23a57a924a00a2b23493d0b8d686fcc47a3d0018986175161f4c83fd4da266153baec4416b5a1dcc0a568d95ad4e3b
SSDEEP

12288:RtOw6BahDFaBfvfoPDct6SlxlwkJJrqQoUhTFfPLgpRtHmr/UNvp8hMoZUDNW:j6BwayDcMkqQpRQmr/UN4MbN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2500	alg.exe
3144	DiagnosticsHub.StandardCollector.Service.exe
1612	fxssvc.exe
3504	elevation_service.exe
2032	elevation_service.exe
1256	maintenanceservice.exe
1044	msdtc.exe
5084	OSE.EXE
4916	PerceptionSimulationService.exe
1260	perfhost.exe
3104	locator.exe
4732	SensorDataService.exe
2556	snmptrap.exe
232	spectrum.exe
4960	ssh-agent.exe
3292	TieringEngineService.exe
3388	AgentService.exe
4312	vds.exe
1748	vssvc.exe
4060	wbengine.exe
2184	WmiApSrv.exe
2776	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b94255e1ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\wbengine.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\System32\vds.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\System32\alg.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	74ac20b07d6abd25e39dfa1763666ed2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	74ac20b07d6abd25e39dfa1763666ed2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f36c0898f1ccda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b81fc97f1ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009864599f1ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000ce2998f1ccda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006777d598f1ccda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb3a9f9af1ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003341239af1ccda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
632	74ac20b07d6abd25e39dfa1763666ed2.exe
3144	DiagnosticsHub.StandardCollector.Service.exe
3144	DiagnosticsHub.StandardCollector.Service.exe
3144	DiagnosticsHub.StandardCollector.Service.exe
3144	DiagnosticsHub.StandardCollector.Service.exe
3144	DiagnosticsHub.StandardCollector.Service.exe
3144	DiagnosticsHub.StandardCollector.Service.exe
3144	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	632	74ac20b07d6abd25e39dfa1763666ed2.exe
Token: SeAuditPrivilege	1612	fxssvc.exe
Token: SeRestorePrivilege	3292	TieringEngineService.exe
Token: SeManageVolumePrivilege	3292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3388	AgentService.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe
Token: SeBackupPrivilege	4060	wbengine.exe
Token: SeRestorePrivilege	4060	wbengine.exe
Token: SeSecurityPrivilege	4060	wbengine.exe
Token: 33	2776	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2776	SearchIndexer.exe
Token: SeDebugPrivilege	632	74ac20b07d6abd25e39dfa1763666ed2.exe
Token: SeDebugPrivilege	632	74ac20b07d6abd25e39dfa1763666ed2.exe
Token: SeDebugPrivilege	632	74ac20b07d6abd25e39dfa1763666ed2.exe
Token: SeDebugPrivilege	632	74ac20b07d6abd25e39dfa1763666ed2.exe
Token: SeDebugPrivilege	632	74ac20b07d6abd25e39dfa1763666ed2.exe
Token: SeDebugPrivilege	3144	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 4812	2776	SearchIndexer.exe	106
PID 2776 wrote to memory of 4812	2776	SearchIndexer.exe	106
PID 2776 wrote to memory of 4540	2776	SearchIndexer.exe	107
PID 2776 wrote to memory of 4540	2776	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\74ac20b07d6abd25e39dfa1763666ed2.exe
"C:\Users\Admin\AppData\Local\Temp\74ac20b07d6abd25e39dfa1763666ed2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2896

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4996

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4812
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5cea1676c7091038c776e2807acb2018

SHA1
50eecc13cac41c7584e156172c9c8f2c9b3ebf1c

SHA256
21fa4866fc74e8fefb49e66b4fcd1d32a672043530dea1db222df973969d22e2

SHA512
5637259e2133878d3c79e3f5aef894c3416bb659922d70718dfd95942791fcb01c8983b42d5b45db8324599b2e0c43a972814eb3edf5c224bcd0a41c5e28f7ae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2d1a70e1706c31c2628322f155b297de

SHA1
4e503e9391f36a39ed0a96dd342dcb97b1bf22b0

SHA256
e0b1b779a07517629ad6d52629b1dfc44cf0e3d1ce1798aa048d14ff65b08802

SHA512
afce651d9011e51d56d6ff2214c1473c12eef3ae1ffa4b76e37f2e6afd90398482e95b51660ab9fb8cc29f72618bf236283a25b7ce80159b7f840895e1779123

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
00b0267d4ec740a23bc9b430fae303fe

SHA1
2e5a963bd0423df31c23026ab41a941e32874120

SHA256
0a2b563893619c8fb04091fd93913a896ee78e2dc549ffb2c57c9a67ca5cfd36

SHA512
be64b2dd7461a40458800a78a525a229b121cdb11ec4c7b4b5cab2eccc103df966650b74f142a4f2349d1b909fa7fc7b41d1d36efd34cf9eda0cff71378b7ba1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1fb127aa6ed4c91f383ae82839861f41

SHA1
8314e35885c73b30d0b718be240d712dd619541f

SHA256
5b768d4aa4b043a0ec4e9eb779fe840662df5e9814bcffa178d6404e4e69e673

SHA512
10ac7e81fdf65d6aef24b8c56853d5d5a9b762be23bd0f7f1ddfab715724bd69aea6b7318127bf5de038f8a14021328a031f0fc1f66edd9eb930b9baeb78ae78

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7342cf9bfc123358fdcaa7580467fc22

SHA1
18ad3c9f8ff1ad955de61bf24331fee7368c5c13

SHA256
493e00ba6d05269b1df0cc692d4524ffc818992aa1c827d607121fd9cc145c56

SHA512
120a5480563b9182a19cedbe9bb3ec4f8501e4b2b99bded61cdfb3133959a49c5a880031f5482d1efc74eb06c4f1118fdd3df5c490d7c386e75ca1c5423fbe8f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e12ebc340d4ce765575a4dc4fb637d0b

SHA1
3dca0713760cd7a7de54e1d5fe1a1a9328909004

SHA256
108a85f39bd1b0aa566808680fe61b364bb3d5e36bce4ced7a02b27e517a27ac

SHA512
e4b6c7e5cb6be8939432dc809356be1c6b463a5bbd1eff9a2757102d78a38ebc06d9ad70fa07253e3f4f38bbae3248e76a8cf475c3c5ade072b3d0d8ab7df56d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ab680230eea372c7cd29d627868b91d8

SHA1
00cf3fdb417b10f36b497190ba03e81a0849ec14

SHA256
50d84d967c22a806df925558f7afbf22d1516348a0ec3609e2820665585f84cf

SHA512
1abff2ed6fe1393dd2b4198afa6e6fee6f29f81e30671847afd94ed00eed07a610fc3646d0ae031986f6963b7863f4931c91d7c8d0ba709b18e748f76a91d2db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a33b470cfee3be413c9d95bf6a93fbb4

SHA1
95e66d3d6191fa59ffacbe45fb309c68e2192623

SHA256
cf132c964820f54ed60fdd39234f4cd03fe19b20f5c7ef9089e438562bceb9b5

SHA512
8b9817c1bdec3b3ee377b9dc81e30e0c1a18b9449fa40678b359a3ae2817bcde70b646c55eba4ba8591d87e19c66390e5ba5ce5bc0c1afe6c424e84b5b57b623

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8f9185d4dfa421b38eb452ec6bb2013e

SHA1
095a49389f358af69df18a2ec089287d640794cd

SHA256
948cc59b0212473eaa0b79fb2deac32c9e7d8976d75a5e9963f2c3e662bddb27

SHA512
0bd001207a823dae224ea3e72aee4a12f9f7539c4e02c6f95945f6f38612d933b7e28dca9cb3a17708752223604335960fbfe8f404af76d41e730ba451489a62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a29e9db19164b3ec513e00d743255ace

SHA1
f325663b146425b499e84b3812efad587f78863f

SHA256
977f618637b35b6d5e0d04b2c3f0952f087350f055440ae8487225b926455726

SHA512
976f1145ea0dc66cf7b16174158e27a1c38523234586fa004962fc4d6f3061aa5795d563aada25fd59bd412780056c2a0fc767171d362c3f49b03b18b2e2bcd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c4961b3ddd54f10f4c5be987ac6f4e2a

SHA1
b89be9ab949d15a40269124d2886444567f8c1a6

SHA256
26511d791a937a75d6a8e0962d2c830506a350b42e21869b54a3fcdd5b282c05

SHA512
55152a96c6d5ea6ab12f3947d1ee6f9aa72a22210865550ba6cc4b88b953de4562b96a27cef4e42985c813e85bdd77a8e36f8bbeb9483fd583359bd06d3576c9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c60aaa90700ba983e92defa2c3048544

SHA1
2079c613a1f4813ad0be4bf69e8162d740dbd917

SHA256
970d3dba2a1723eae3f13b4f6901742ca90f129f479967ded058fbb582818652

SHA512
8479828badf611da089139e669c6b03dac98942ba7b8a795dd3abbb236fc45baed41eb43ea43b3ce9b64b8cc60c0b194ef17ee14f153aacc6bf7117ac22bb686

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
75cb368f0de787d95fc156e03eaee4c8

SHA1
2e9947aa66baef64370c11099546c8b60e84d831

SHA256
c8c2c3ec35de907611755f7ad11bd39d92eb8a7ec282a6c79caeaf1a602725b6

SHA512
e9a7d11d83b411131b8f4ba7e83646ab762a3e091644e9205a2407992a59f338e43fc9c510ff942ee724c219beffe8667bc27570f3f58f2262e78131e9f74702

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
738a8105d5660e0df13a8ce7595144c7

SHA1
6836c4a293b0a07374c7d747811f718f0cab657a

SHA256
a7a23e665506431c75171a0a52742f2aa220f65cfe8a2e6342dd4943504c0758

SHA512
0f88a7cfa00de60faf11cbfbd26ae68e69f8235faa94b70b7e1a3f201d068178a748f37dc5af2b8e5e7150920ee25502da71504099237787e3572eb63027b704

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5fd91b96bf5ad4891fe320d9b3b4c7a4

SHA1
3b35e92711813d32703304bfbd3e7b32615175ad

SHA256
7e51f41fb8887e906a25b05f7320dfe4095a31ed6e00b9ecba7a5499844621ce

SHA512
7c5cc5a4fe03bf6baca53a1d8722af4ffbf4e5d2a6830c612478603dcbea5bfb2fe01c3884a78ab05d426465f8d19a588c6e7d79e51f447a0f05604cfc6b234c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
521c4004e2df224c4d1f2e7392085a07

SHA1
15d7af526adf9281550d7c554c26fecd259adcf1

SHA256
d8b1accfb22c1c25bfefa7fef73beaaddd81d788c3f6480d6662422a63afda93

SHA512
f21645517da93bd904901fee5d4e1fa586ca6f84fa28b8e718a82f656274585e9ee0f3bce038dcdbb9526b9c26db4e7debb8a8e670591e0461c3d98638883b59

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
11b8e95a720afdff32793f4a142e7d93

SHA1
e8231075827b69e7fc2992e6e156085b0c4cf610

SHA256
2278439d6a8472f4b08be2107fffc7ee1be24d992a9d131f2025958ef5495657

SHA512
779d6a36d258dab2b2550c1d445d6bf85dfee6c03f89cdb065bfc8d29739738384f14b5203403dce94583f7197d53e9afc773bf10d73379460a3ff87175f8131

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8a3be91b86a36e1d6549eba8bfcde476

SHA1
a98eb64e0b6b5dc230e5b2f77945f35e6eae82fe

SHA256
210e38d193ee4c355b79c737bf10efda81d49e0456984f9e9de0f69aae3f9283

SHA512
057114687eb04ba44238ba452415bf4447931fcf75c7e605f2f55286f32d8c516effb19f532c0c86d04cd3dbda890627af5ccbed8c4bb26ed20cdab2648d6c6a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e8cbe92ebceb77a9bd84ab3e55200c7c

SHA1
bf23d79476177273d23496d80dfbbe766cbfd8b9

SHA256
8abbceb585f44407360117b35bf003a0df7bdc1d2ac14200c67b7d512bac7b1f

SHA512
df15a5537f0216d0cfc82229a4e888ee45a538d8ae1cd6a899dc100268c6b2792f5ec6fd72f09b2e978bdc886672f5fa0f24265e553e7ae267a80438d5567829

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3d72e2cb4a476418f083713fca8aabbb

SHA1
30bca0f3bd4ffd511d0550def22c999b540d8c3f

SHA256
1e21c217e8833eb2716a0e028d560ab1081bdcd6c0bb61abbb8ad36e2568c1f7

SHA512
f05f30f9c102f4facb9b492839ddc46322809803bae40f0004298d9f23c9f50d2d24e0487545ebb13cb4305d6bc65f9d802e2abaec7dbe7a0a7f4b86b3e735d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
cafc6022cc46a60e7e570bcdfbb5c48b

SHA1
fbaae3e92ec7768d5590d538dde941732b206527

SHA256
60aacb0583b3cddeb8f96026968995a9d48c81ee875699cf53521fff499e0ce6

SHA512
3b50a046291653c23504f7a304e3b7e9932bc8367b366d8dca967353a8d4a2532b625e66296c91403d50804d978f8ec8f6a030e7cf677d0e2842b95c52cee71f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
08fdaf7b1d913ee646e0b6d8dc6658ce

SHA1
579f7a8d00415b8acd3a1644353d092f8200e1bc

SHA256
aa2d67cfa59da2f345011c3e1d59df85f5fb451e9531ed6a57750e475b719d2a

SHA512
1a06064e7058631cd5a1732264db0586e670c1e1aa2fc650e083ace652aeec6d566bf657fdafd2a83b0632640db60d4ef4177e7f2fc40cafd4afa9981649dc5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2021c5d2ace5d84456faec5d488fcab2

SHA1
681a1c0b148d997d2f73a857ee2b1fb330d21bba

SHA256
42f2c39f89fbf6321f5b2f63e35f921492a6fb51a48810a13a972136ee1846e9

SHA512
803205e6e29e307c25fb760cce8eb4e39166b2fdc8fe95f4d9480218275e09de7247e737a543a0682ae2a370a7dd9a25ae95d843397c1e1ab8a4d4d97d12d6f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
246c0b949dc749507e537174d4ce5816

SHA1
1bf9102372d6ebf0ddbb2c8055ea23076c8686c1

SHA256
e3916fc5a1fb90df012e409c87508e9285d7c6d30f3721dc7c9a93e467cdc841

SHA512
9bd2efe58dc8a05d4f9c7e2814e48785891dbca0471c03bea0586733245365ffa567d0c5c92d487aef69d82222820938964c3a28f11c981d1f6d6a394165d791

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
42e4e46a7718fe8cfab8d091536d69c2

SHA1
7f3e31760f05b30d1b61a0587f30160596c3d05e

SHA256
1c28748b6c178f1580aba16b4917e4b90a1474e66e005b9b03f098b89f5af8d9

SHA512
ddb874d02632bd368dc70ab7cf8c5a22f754aff69f1a2b54d7696d90c698e5d76fab64e8f1271f8e1f0a0aa10cdbc83dad5e40413cc32343a3377ba24e6447e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2bd1a386c0c18c150658e88001851848

SHA1
e5c35822bd9a1368081885ab698461371cf826d5

SHA256
5d6a5fe7ba46f8466e48afb0882ab37b1e74427079bdba879dc950c0d7a39c58

SHA512
2dceaf79881054fafba932df7f6e64f79c861210787836d6e24899c0cd9eda75a4edd96fb61b978f538bddc8cd116614f4599065ef373b9812c11c7a29d46de4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
503c8a6e2a92b5b44f0be4ed759e6cae

SHA1
7b23e20ec3408b8d534e7f28bc7680856957d4c9

SHA256
fae42c6a7d97477a8b0e17e4a7dffe46d1abaeecea6df5561e31fca1ba0f3910

SHA512
77d11b3501909d88051af9ee70b515bdb1f503041e439a30e1380b53b6735427a7621ec7662132cd7996a666cff2d5c4de6d13bbe5f79bd53dd206dc8ef6401a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b08f6eec3fd8995df8e3f51cd0614f32

SHA1
8d070eaec3f985362c455c94e47c785cdffd27e4

SHA256
8914ba857fc80371bf568f985051d33dc78284a1cc8321f523b1d22ddf3d1335

SHA512
e61b6ca2f28c572be7d6a72ee894dce4fd1b34168aa520a25ed9fc23a2b0fd774847fcae02279062f2d5b6e82396b05dabf3ff4becb47baca2cd0d6192334779

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
bec563f29ddcf4e31faed6fecaef3dbf

SHA1
f1554405630fd3815c5b15f10ef748c45c71eecf

SHA256
13afe15691aa3c3acb9e84029adc8958a76e39e90dce5a345e64d6a32e5c58a3

SHA512
4c0a0fa97a6b57c1c353389c7950691784c29082365cfff58cc67f2ccecff85e29fe7d9073381a7f971424f4ee9cf413a3745ef8f1e3dbdcaec85fc260d5b227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6526a6e7e34e301ca11dc586289fac25

SHA1
a9fcbf565f45d5cd750e62b3c1b96346faf240d1

SHA256
3bccbb59d73dbc85a1bf5a56442028cc1b8947dd679dfd06c30315c8c8a59c40

SHA512
56747397f7ffc36a049f7328bf2ee73aae61f0b840f698128e67acf73f0c154ce459680d5bc200bcb6827433bae14b1ffc59bb338ee9d0f4c4d69d7c80ce406e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a794cc80ea200c867ba657794149cc55

SHA1
97489ccef3fcf8199a5baa56f7568c1d31e48515

SHA256
fca42360b452cf76a9b764bf9ee885ef331429933365214c3656e0cabb3543ca

SHA512
bb36f8f73299511bc1dd4877f7f340463b5bb623d5cc6e0c0f277cfef46bdd73749a99f88c3425829a858a32df3904483b54ab08e06fe632cd8f387293c6b23c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2598d5083be9c31bf4b17886b11b62d7

SHA1
b362cda52bc750b6b727403653b8d0cf29ed9321

SHA256
8d2fb79aa02edf4e52629bc2bc56ba33aab880508bc12e0fe76491ac2f2e19f4

SHA512
8bd79085e240443ad9a7faa1e85eeb260d9a51c2cffce2347b10f55a11b7a96f5aa066dbaf2ed8239c3afdf0c6732f80410f92f4b8d6a22b9b8c28f1a6cd04c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e2c072dc3261f44630335a461c3ade3f

SHA1
d78deb1c6f13a36a5e40b3e321065489baba4a96

SHA256
29d05754f5c2fc0a631e17e5671ffb579430e7e970cacbdeedaa1af44a062635

SHA512
8e5d8749c90c86fb2fe59e03a52fde3b1e93fe193caaa5a15445892940e36a3f1558c54f12684ed8e3a9526b4225a91aa66430df4eb9cfabd5d14b62156fc800

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2de7a39b900c3e1daf31577a6346fb3d

SHA1
bcac0b1cd3e233d77b85b4f694ec6b1f7046db52

SHA256
106cbf18a52cc6db10d10f275643f0dc4b60968536f3a94ae78bfece744e3eb6

SHA512
4ddb2b1188ba426c6a7e7352e8762f93857d338243af73487a224506a80adb866dd1704d4f28e29382888b441db6386f8487651e92dd0f481ad3e1ccdb651037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bc01c346480578a6ffeedd06815c60ce

SHA1
d37dae40ad50122f8fe03a0c99447852132f8a4c

SHA256
3e19a201dda40746b743bef9014b901ae5b3b12dfd94395675c2989cb1d28829

SHA512
53eecb80dc9dbf3329463436e0266fa3193ac428417563cebd69b220a7eda4cd39f8bb8bd65da1063074d626dfd8211e2b2024f4a91b25a051d08941c1ce3b03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d1e6475fcf602a72f3c33fe25e98de33

SHA1
fdd514dc966a0ad2efe80c6b747cfb05649d9b1a

SHA256
59850c228d61de4a726f8b394f257e6290057df136169a2fe29ebbf5487240c1

SHA512
eaa698a6035cd34cdc4429bdff7d473ccefb86b87d4def646289c60348482d081add3f3f30952c7b54a53b733de8cb270f6bbf408e7ab0f5b5fc118b89985893

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
04162864d54e92cb37c53c2662c36609

SHA1
c912acb2527f26d3b52d453145535ee13fcae28d

SHA256
ffacd70380e220e3d3fa6ee29a2123cac2b0b65f8eee269d11f82929360cdd9c

SHA512
df92e63ead1449522a5da765bf3e5c9a3186e47cc2bee9b80c80da6de2357af70c9145e09f908f606f9cfabf1ad4c8f482ccff507fadeb4dea44aa116b573fc9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c0dfa8beedc93a7e00cb1bc0d5738585

SHA1
620b633a790f43d92c2660265c770b7b2a8b2bd7

SHA256
3d7310531ab99b8076a32dabb6023d65a100d5f65e7c65abcc475c8687a5b9ab

SHA512
d4ccd256ac08f7196a8e80202d5ba9a418ee4ab27d7e2916189a25543e78ffe484e6655784b240e7962b519883468ded1c857ae22e20dc896a40e95791296a2e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0e1bcb1c666294cc6d59e0b6a96fefb1

SHA1
a98493e94a59a0a5fa996a1c8e846ed33ee482b6

SHA256
6a69031e7c5245e38c0c5a0ffe13bc6f433af027bcef1c510e80fa7a8bb16a2c

SHA512
249aec15b2f9449e33d3cd06ab6ef9fe8dce1d7c047fc033da663fdd73e096017b6b6a9f3f176a857fcf4fb883f4cf411058bfa996f52ce0cf47b2348cebeb40

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b134ab541e4ca481d9a60fde1d8d4ac3

SHA1
f5e527d233e26f5cf8823fdd432d7e63ca5231dd

SHA256
2bc56827c8d166925abdd5aaae90449c3abfa08b7d461f3fb5aa741cb6fbc950

SHA512
a7e362198461ed98e7d4c8c0990b133d64d921c413346bca4919e240af9743bd42a23acc9465d3500b1fcf443012f7b55ca3a1767e1650e10a396e480848021d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
92ff82a08b3b859160305f37ad83067a

SHA1
dc9e1ce7c643b5a0c47fb9c013e05ea6cb973dfc

SHA256
2b48df2bc0742ae130b4d507920ff053744a7d3f92d79db55a1d5e0429efb4ef

SHA512
042e707fc7c3c5250c629758c92069d3afc92cf4ab8ef701f1e7fb6de404c0eb86218c829f54b94489a7140504f64753487ab657b1f55e22e3615d412278c501

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
653aff2e4fc7c36782de76162f328599

SHA1
29f8437df087f6409f4b6697f000f0718e29c9e7

SHA256
dbbd7021498d72f0b55d13cf20e89f9b10c127dadd9be38cda02a011f7559f9e

SHA512
30120af6195601257f9e3372acfe59da5d81441dbdb80719582ca262e487eafd6efd7edd6a8b99f431f52f21b297ef6a70a1d3442aec9d65c47f1d0f433fb366

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
30c2fb6ff4d92fe7ff35d2a688b943b2

SHA1
c4928bb52ab053362c0631f6496dd823f7b1924d

SHA256
93b000c8af0aaba84a1ad1872fccf65ffceebfec25a252a20951f6d83bbc717c

SHA512
e751b19606da729f594c91d1ccf54d3b5d7db405c3e65141a8902a21b9e24a487535969e5c9a0c64545e7618d2fbe848746406dae47a585a5f03a755fe8852a6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b86795a688d6d7b2e57e8b7f246dd42e

SHA1
58e9b28fe4be080414f732dbac2e3981da2055db

SHA256
16c4ba0399d52ae6457f4d9c49b3a4395a86a48162d01b8064fcee5a1be634f7

SHA512
e80c1a6ef9d48450bb466d04e46f9117937fc662bcdc1078b9041cce3cdea6cf36cf88795052631bc7754070c8ae62ac8c136554f7b39846fff2c9eca6f7fb1e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
719c8a790bca5a3d12486b3801dd4a56

SHA1
a1e0ce08e839f1cd6830c8962f6069731a5a0c65

SHA256
f8c3e8e8efed4005a4c523832d2a2c623ece7e345cb3e258f8980d7035c1723d

SHA512
fd1f0ae92d6d1b3e649748a8dd3d0f8bf2afe759d94ca6dbf439cbf0caf480d3567399ba2d614bf5a9cbc91f40b2f9f66f02f852a37f50388d0a7d63c6dc4a5c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1344845fc6bb66e13b39bc3e84eb3171

SHA1
e87c80a5206591d12c4fb90af0d6b05542e16649

SHA256
0ce09ff3a77c8a5aef2a78e9603e86ba1e9f523bc94c33558ae571a486d49212

SHA512
d3e556393f01e910f7251cfb8fe558a52fbffa02aad6c415390d8efde0ceee3776041e902c01a74703a4510d37ed84bbb640b904dbc94ba3e28f9e5e8c52be15

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6caf7d29f1bdd080e6d7d84aa063bffb

SHA1
d6922b8ade17514707d61d8ff3b1492ba55c6e56

SHA256
a92be27fa95ae38ae4127f169872b12803bec15b970e632dbdf18c425eda9a6f

SHA512
be95b399ddf190656967f4437182049fe5214247e0d8d8630996c54f5908185dfa35808aa7764ca267373235dfa4876725a3c6af29d3a04fb5214d0a10aebc06

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2f962baaaa615045fc80d24865d8f87e

SHA1
e5da3d958cdbc76837b27c9ca4b22b7395321c2d

SHA256
0e31e9a517daba7cc3de7e2f6292b3724a1ab505eb50b629ece6f602b69c8565

SHA512
2e9fcc85f3aaab912d8104d34ea739710387dea452299b676af8c3c4e6ab9eda707fdce34cd5080ec10f7ec81f6c81afeb344375914141a6d5fc26b3667d51f4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7471a8d18074dbbddee775cb0b59d691

SHA1
6416952a98a7f2951db27136b3a0b4650c3abac3

SHA256
1c1f5e5e6af085225b0a823e9550c16818c0fdca63d6a9beab88e8a061142682

SHA512
d815f355814964bce6b4d5c8d3c184a3501a3d6265dc3ec805b8aa5be355c101c6260ddd41397ccd989e7b7cdfa5c2022927f5f6e007b8c361023574d65ff486

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e4728510b8adc1f9f5933c350977f631

SHA1
28c69eab54720e1498dc31b488ce944ac1080e07

SHA256
225e0d633c83a94e457d3f4011b710564bdc29761f0aadcb3e91e6675c1baf4c

SHA512
31dbb4b793ac5bddac98b094ece6fb3e78cd540986ceffbf12aea897abdf234cd909afd281c866c974b0c6c60820fbc63596944736db7b97adba08ebaea6e312

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b9fb84ddb51cdb23a4e4ee370fbc1904

SHA1
0f2f1190e92510b90a85a854bcdcffd26eaa6f86

SHA256
5fa7f32a078b7a5df6430248fafb85915d29136efd49ee9a1e02a153bc389780

SHA512
54577b0c704c900b834dedaf4b2e422602fec3bd4870fb90f80e1bdd0dedd09576631c65ce57e788ae8a7af233292d464935d33f5c36c19e45e8575ceffc2572

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7c3eb9c128ff7f9ed7b5c5eedb2f8b34

SHA1
1011ab678c16e197b0658959c9df2974b6ea1f9d

SHA256
f8c6a9c7b763e8ebe1be384b0de0fffbbf789f00857ed78471e88b63e096dbbf

SHA512
d2425819eb8423d0b275f9be35d22f9c02ab69303ebbfc3aba57fe42882d05827d24c8ff4323f9fea1d115d7b1c44b5c012a68aee5f5bb51074127813d272e0f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7e707da91f83ee8075cd31f77137cb14

SHA1
ba9e04b226c50ead3bc2be05f5133b54aa603676

SHA256
5084bbb98a0d7eabb6445f1cbedbfec37e590441fbca3a770dd1df54e2ab1dcd

SHA512
9e4fc0525ad2391f3ced2d2ae4ebc9a3e32bdba4486eb2b77785fe71340af1bdf547eddc0dac73af1b9b7639e5d5b2d2e0858d4d3a25ba353711e96283491cb3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3c3bc61eada9477c5a059835fd0015e7

SHA1
a630705ce792f21ba96d061b53bbc60a6d38829f

SHA256
63d589df4b28c8e76dbdaa08163a6978e4e74b1b04a486795387f1a880587d97

SHA512
d40dadb69c1a79b61ba8e48859375c371cc4b4fb3cf92adcae2f2c158514c40b2f30f36f278ab88ca4c3d3f33c9d3bd952390a7d16ba1bf65a823c53909cba1e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b558eab538da663ef8d2cd6a4ca4d0db

SHA1
2597b6c63d05ed891070d971c9f63a5e7237441e

SHA256
d8da6ee28e32ccdfbad0ebc5e207fb9056fb2ab7c556cbd288e167b7df9cd120

SHA512
e048b3c172f7eade38a72569bc3f42aed7823e39c5658110c940e78a3f6021fc61a9a2f61d5a2052d34d79935fc306749210ebbbaf344359f6fa18edfde67656

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
30de2570ffc46c604f9a1ae3c3965076

SHA1
d4d803d9c83bff06a4f9caac5545a3ce1cb347ad

SHA256
02c9977a22de7f07fc22e6fccb4c57ec3db4e2b8b38321a9b45228fb2f630c8b

SHA512
f55acd904cacbcc7648aa7da43aef1bf8baf142dc2eb24bdca672938fe14faa70ec20183a97c47c32b1dc49a3b76d42db508b9b9810da10d23e8d806a4c5e98d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fc663ac6decbb0a9adc8e5457771908d

SHA1
c3e99ad560212d43f5567d1d53510d4ffb4d5538

SHA256
9ab9f36dea61db29641cef99295fd0d412b14934238f8bf78483131dca6962f6

SHA512
f03b4e12c0ee8f2f36689eb4608f71b47f09603533458870d7d9be9b2b0e8a5731ac253242e8c13fe7955ec16cbf6af59e287bef83ec86b6ffe19f3f7fb88c5d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
19732ffdaf7ad8626e510fcec528207f

SHA1
87ab8ffdf833fba8ee3e55582dcad09aea2004e9

SHA256
cd9890de15aa8108c174a65812b596cab36f2d60fa6932af8e1ee9ea3b5e8f17

SHA512
3c19dc7dffbe1eae60dc533fa58b76c94f3ecf950ef85496e1df3ddc1c678553ef37e820819e97f96f8ed672db71142262f0cc381f069ab5fc6fa7de6eb8e48c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ddd707f74a9aaac006532a6f0dd91a51

SHA1
430b71dcc093cd8608b23a6992e945fa53b559de

SHA256
fc1c9019b4c0743053850906740f438b73384a011b4b8d97536f31b278e576e6

SHA512
d38c186b791aab2cdad2cf698ac4d687c4400c1f3e260e9ac4ea686167083fec7930617d2ec77c6690bf0687c1f63804cebb25910dafd4253374e1e8455cc4c7

Download Submit
memory/232-160-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/632-152-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/632-6-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/632-2-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/632-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1044-81-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1256-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1256-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1256-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1256-65-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1256-54-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1260-155-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1260-102-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1260-97-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1612-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1612-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1748-415-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1748-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2032-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2032-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2032-412-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2032-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2184-200-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2184-416-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2500-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2500-372-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2556-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2776-202-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2776-417-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3104-156-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3144-393-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3144-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3144-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3144-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3292-162-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3388-137-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3504-38-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3504-31-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3504-411-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3504-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4060-199-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4312-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4732-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4732-394-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4916-90-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4916-154-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4916-84-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4960-161-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5084-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5084-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5084-79-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download