465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
Size

648KB
MD5

a14750fc1c4c25c52f8070361de3bbf0
SHA1

2a503bc2c57d6eb92ce38db1d4b218edfea6274b
SHA256

465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c
SHA512

7a07872ef64fbf6ee7f02041e36f5e5dd47fb26a89961fd5175e603b8ecc9da145dc2e35821a7b3f51ccf050fc12f862374ff4d18a1318fe253663fbc2795b0c
SSDEEP

12288:Pqz2DWU8JlARaGdf1IrOrNhyRfLz707YH7lk9wl225CnPkKb5rdRYd:Cz2DWhvoKFLgYHJWwl24C15rDY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1852	alg.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
908	fxssvc.exe
2268	elevation_service.exe
372	elevation_service.exe
2936	maintenanceservice.exe
2288	msdtc.exe
32	OSE.EXE
1332	PerceptionSimulationService.exe
2332	perfhost.exe
1696	locator.exe
4424	SensorDataService.exe
1888	snmptrap.exe
4288	spectrum.exe
2476	ssh-agent.exe
952	TieringEngineService.exe
4224	AgentService.exe
1176	vds.exe
964	vssvc.exe
2448	wbengine.exe
3612	WmiApSrv.exe
2484	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\40576b7fb3b9834c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\System32\vds.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\locator.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5ec0a7d3acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024613f7d3acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091ff1d7d3acdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f35957d3acdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee9a597d3acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001913317d3acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2268	elevation_service.exe
2268	elevation_service.exe
2268	elevation_service.exe
2268	elevation_service.exe
2268	elevation_service.exe
2268	elevation_service.exe
2268	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2460	465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
Token: SeAuditPrivilege	908	fxssvc.exe
Token: SeRestorePrivilege	952	TieringEngineService.exe
Token: SeManageVolumePrivilege	952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4224	AgentService.exe
Token: SeBackupPrivilege	964	vssvc.exe
Token: SeRestorePrivilege	964	vssvc.exe
Token: SeAuditPrivilege	964	vssvc.exe
Token: SeBackupPrivilege	2448	wbengine.exe
Token: SeRestorePrivilege	2448	wbengine.exe
Token: SeSecurityPrivilege	2448	wbengine.exe
Token: 33	2484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeDebugPrivilege	2324	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2268	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4420	2484	SearchIndexer.exe	112
PID 2484 wrote to memory of 4420	2484	SearchIndexer.exe	112
PID 2484 wrote to memory of 3912	2484	SearchIndexer.exe	113
PID 2484 wrote to memory of 3912	2484	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe
"C:\Users\Admin\AppData\Local\Temp\465c0b7e2d83e7fdecef8145709fd7fda546ca9aa1d1dc2185c850bf549c7a1c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:372

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:32

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4424

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4288

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2896

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c6bcc0f4f6ba85a1359d741e73204fb2

SHA1
1c5c27b77f9b6e2b48f7a21ab84a2e24069eaae5

SHA256
466dd7303eaa18f0f7c012bc0ccdae96aa2c57d57b39ff68ee4bb0ae1af09711

SHA512
380eaa7a5335346e3b5868bc64e727f4396264ec5ee502602ec68c25982a36e33b76ccb531ad95eca791096ccba7220ced3546d91e9f919dae6df2b570d3ae60

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
af81217b7040c0c549700efcf9feb291

SHA1
5c4c09bbc80998466472f51eb40e35f1cd4b4464

SHA256
aebd5680fa8f42fc160c422311d36faf31cfe2ef227c4918889c2fda85bfdeb1

SHA512
3bf4e34b448dfd8f4c2c11ee18f6ee8d8ac69ab05ca48c3851ab21e0cb539f97b56bbcba7179a9f9797421519196e05805707051e8a02de0d9698e6d5fc52558

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6e85652d9943ac3ce93acf4bab85757c

SHA1
4a41ce7b3ab808c1ca30499c18b20d3c9983d080

SHA256
c690c6289c30d7bef6fb6e3f1893811c001e9b4666406e906aab293e5e59f890

SHA512
f59241cefb640e71498696922de7efbc7567c0af3e32c9b6e4f36978ef7540ba85589eb730dfc2a14c0d09659ed29a36635318e8333470b630c8c8312ff12fd6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d4a31e6b593f0377138e30dcaffca2d2

SHA1
a8bcc04914800030300eddf5d9c8c62ac16be47c

SHA256
e730336e4d4e0bd49833a0f533d7025b6556fab6e92c854a88d1606b0ec4669f

SHA512
bdb54e4c34af42ece0068b403b89d3eb3db6dceeb4053abbd92a486b59d801f1a7511cdfbfc50e8b760686fa7c79203927ffb99e9c03ecf9dfff08a7a9e26cd1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5b50713450a3ec4d20b1111ba269fcd8

SHA1
7dd4485b7915297e8875bd6424f806cade3e0c62

SHA256
2a6054c3804bd47e5d92ddd90e49ee687348085e16a6889afa8590c1ab6ec5a5

SHA512
b306543f9412a71dc324befc2ab68428fe78ef97808862ab9da01a9ba143562b9762ef09a8fbe74abf31101968be3b7c3f2d4722f5ae6d5550e72018e5ade658

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
615271f11b5e74c06b544fde009e8a91

SHA1
e26829461f9d4e314840961ebac88a4da05962c1

SHA256
456cfdf59de266428a6e9b88e7175c64c8bcadbda4c743aac17cd06f32026ed3

SHA512
263232c5c6a0a16c931f0748c4fa4e72fdda7ed95798336ab7940c4b30787f4ac53cdb51b621895d13e2147d8ace9565100a396deea27fd1e9e64422956c4723

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
23997da45dbb6eb51874e4d78d5ab1ab

SHA1
ce1e6bc85637546cdc5c6c6e1bcc88d3b0778327

SHA256
7f2cd7a74f32788e340c11e21426a8b244c5e8ef75fa89868153739231d1cbfd

SHA512
dbdbb1c5a70c65924b3a2a4c6a730d78cd2f47e5333efa1d56ed685506575b1b6e40ce040f1cd89ee172e2b411ffa139d9b2701b01d5c601945842783eb19cb7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9cdc0056d677f98949abd513dc34546b

SHA1
e42a80c91f3c1a18920206af3d648b0d2d1aa9de

SHA256
4df39848b324e25ba6aa57436d21e8e5f22690a44fe9ab4a05510d360101be47

SHA512
89bbeb902abb4f4bd1b0eca80376922dfbab0064369bf695dbf3c2abb4e95c5d5b4a62660f07c1cbd612fcbdce7a4ca925742a721d7a952c874cdade2b88d1ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8ded1beb336bae436e6d7645f3a4b98e

SHA1
99e3395a555be364a0759e1f9500ef3e31636d02

SHA256
cc9a0a003bc0140e07186f6423ef8da4dd983f865de138784807323b00029f22

SHA512
ada2287dcf0f584b00110b0c588c30bc35ea82f4d50fff989f5ab7e085784fc5866ef0a47229ebb9e35ec10bd598131d7243098623a5d27a51afa242fa198eca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fb2511bdf15e456841448b03c4c39f1e

SHA1
df4d7dbfa02d748be5e2690056d642859080d4f6

SHA256
460a30566fcf721eaf7f40061aad0d61e4f9d130c5d20e705f8b43ca4f039c17

SHA512
05b204da034623e4d76e21c7c4d1eb89932ddfd4c5a38ead274f9d757a93dda35c7f3d665a27a356a75226bb7a5e41a5d9d54d8d111c5c8dcf10fa3cf253f7da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d35814269b78046305f91ab2006b2c47

SHA1
7adbf4a9bbdd6219dbc29fbba93084218d0f86d1

SHA256
9ab123baad29a211aa29ca7592b8386955549467be89fc8fef5cbd1ea1b56fdc

SHA512
0569ad7a8c5bb89dc02ad8f8f4a73dde0ab241e2b8ae9ed3d17ac02ae3c977309b0a37c7389757fd109a63d7e4316a8ac10ceb22242bc36603a3c3771a83bc6a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c050a4013929da4941b22eea896c167f

SHA1
82fd8f148afd18d37518a23d444d7d1036964c29

SHA256
9855f3087bead5ab3ebb777fd1792e915f1fb1c7a7208e4098dca0d63983c569

SHA512
daa550af61b089c63d9af80bea7b5d77166f53ff0757af7846420770b579b876b8060bcce68c3ea98032add9c86f3b04ae57195bf8c8a962a4317aa02d36d491

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
03348dabc982cb82ab02dad3f913c4eb

SHA1
d18681ded564e75f6cbdfcda73b4cd00536fd583

SHA256
072b7c9c71537181bb5911e67362fd39abfd5da93011617f4405a1dd6d7ca26a

SHA512
69ce545a1fdb8ea1516c46cab3490eff3da97c2aa8de5ea10f8e9e2f898a08450468572ce3bb8cef9486f81a454c5597ab846e0ca64c0491b351d5afb817d48a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
af8f62a461d25ee96488533c8bf5ea92

SHA1
78565a8bb7031172a7544a85146df493e122bf13

SHA256
19faf98576fb818b2aea9ccf5cdd13e40ed6a0169cf34405a18cfd749e5d2393

SHA512
fe540c162aca9e3d972aac4ebee4c48b2272c057276983845e548819ef862d085b9ab3ab839cc429ca44f8344656bd85a49d9815a067ed99e0f8e6f06ebf60e2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2dd9a7fcc7a7af8a905d3cc99c051057

SHA1
d1af557bb6fa5005f6594be8cde6bef3174cd73f

SHA256
557b64d3bd8bc844efe4a44a90f26ab19c284c57ca8ae1ebb7c2e528c977b1ab

SHA512
93ffc417beee0878a2c6108ca366b6d8216454f8213d1d1538a75c0dc3e07b0175251c09fe7450b6f2e2b890f0de6912878f609f534927f886331313a7cd3def

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e3e8eeadc70782868b87ca3fb04347ed

SHA1
1346530ff0acc1239bc6dc9be10da2a52035b26f

SHA256
fa636dea0799401237e0da7d4deadfa058b8f4ec5674195d14acf22855fb377a

SHA512
b899742852c56a88bb70a2dc89d31aa942ebf9f29911b01c790efbd39e6f7701cad2a76fc7a056dbf12c6595ad800607005ba3bf60b41d54d243a068ffaf9603

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
adf39228e72129b893205bc53f987462

SHA1
4f81e3a4df1905fbda5fd09215e80cc90ff4268a

SHA256
efa62ea7e6a40d5cf4ebfcef47d185bf0c27225d31ab35edcb33976441a24a66

SHA512
c9a90fb22699ad605b4bacd33d53d3c6d85548da8c4d290e3eb2ad2dc7c905120985c14e9385611bd084df92790a879a3c04f1fd5ffdf0a3a20add94a8477590

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9a1f374fcb5d5f2c69f1ff4644473d8e

SHA1
c2db5e524e1c8cc43b766cdf29ce9eea3839c0cb

SHA256
0e37c3c98c732cc5caee7f0926bdf59b95cf5afc1e96e7515d2d2fc12556cb7e

SHA512
afab4f063fd226b31e895f9c754afcdc18d500136be86973a4be19aa60c96c4e70aa2c3efc39950113b3d1791e194591d4cf41c4de605d6fb42039439d7a8e4d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d83ab447cf47a330b1661438653ab0af

SHA1
4de40cc1dbfed84d327cbe301e5d87c555d7f24e

SHA256
23859e77309b35c127556e7242dcbd86a9b7f12ac02fcebe8cf86cc2405c3354

SHA512
95625194f3ac1c8a1a167342738be79444c985511976dedbf122c1fded48023563be11236ed125a3ebc4a18957f0dccc829156e1bb6c180f0a6ec1b1f420b5ac

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7584c4501b489e799f02faf9afbe885b

SHA1
e24b567056d7ccb8183fee580f7ef49d36cd4342

SHA256
e6923af7e091c4009f251d70741c1552f9ceae30196bb0cfb7b52105c1366afe

SHA512
246b4131ca7cc9eba385fed527dc4e19f806f73a8755e194b950933a1e297ae7f46a1310f4dde98bf5c86c0c232542a7ce4ce3507317b5f8a20e3e0c7c8db4f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
011db29b3710d059d27e0b434760992d

SHA1
04f4170694b811c801c3f451a3f60b2f048c954b

SHA256
4720e63f50b0b708c7e60ba6ffa73f4a8785a8cdc6bf1ebdcc25a7243633dd09

SHA512
28d70ef2852af17b6de575a0f2773a96885cb98756c6d57f46fda8fd9ea67c93495b96cfc9ef44d69533c7efa53e1727e3cda6d45d1259164c34e81160d1ff40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c261b93f54893d26ea24afa8c9320fbe

SHA1
5cbffa79ce22574a5c20e90f9124c5dcadb40674

SHA256
d751c5119d28ff550f394f4776188272360204c37ed5ceaaa302041f8945d77c

SHA512
c6d8fc74884be5394c181da88c49a3f53cdbe7d1721ed0e3bafd746fc02a5254dd43a2fdda7b996fc1e554223682f5669b788149f3248b66a34488d854969a3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2e0db395e988772f53273fc5cd8fefe3

SHA1
a67ab88ebfb25b6a00ded1bfdc79acc75d62eaf2

SHA256
1918211fc20ee2ac81612e16f9656f0134e49e5296f5417e8b7bcd8cac4b3a4a

SHA512
ef882d61b8b64971eda6dda1a3e2b968ccc5d59d62d48a92a2e5a059ff490a6ade6b36247fed9490607416e6538ff126bb551fef2b4b46a945c5ca3dc28cf621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
361f19811ccbf4b0557188bc3f11aa3b

SHA1
7487a473efb6927004565b6488c53e440e29349a

SHA256
64a877f1a85f14d461443891f8ccfd70a33e5ea86a85640db22da8184fb90677

SHA512
64d8d57a4b3a7931b9e2a069b05c42c8cb056b21ec1041f77e9373a602eff523757a8d7c9e473cacdd765152c5720b9341cfaa0d9a1f041bb5885dbad1a26106

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
db259ca0caaeb573551c27029b4f1b72

SHA1
8bb1203cabfc12b6919fd3f77eeb2de21cfe112b

SHA256
eecc2f64ec92aed7359bdc61d4c6bb20af965969b826345054ccbccc38b9b8b1

SHA512
01b9817790a67abce1b714e9994863c4152c91ac625a9752f1e02a6c5424e8f3cf7edf3fbf0e0becc904d1bcfa63b74bd1434c8fdcc8d1d617621fd4c98d22f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1c26b0ede6b4eb0f8b370ae49d0d0e7a

SHA1
c0ea8188d727a952413068f92e447e5c6eb22bab

SHA256
e18f1ed961e63a01090b25be01214ccb98a4b8985cd4e49477eeb63859cb01f4

SHA512
c77c4d195ca87b3313d5aa807910ec2b8de8a3391a47ea4b4bef4e06e344d05b720c7528b6f86eeae3e31aceeb6108888265be0c8b8b7c65d71c61633519ca6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
604b1603177054da2457b31d46c30a51

SHA1
1fde5d6a62cdc1bd2bc3a188c4e2451b265e2ec1

SHA256
3f94ff2980c7e4711be9840efb9730a769c09d0809a82e186297a8f87b3997db

SHA512
fab5e3d787c891022f3fef496f5f49ed23f6053d3eb3e97163189ded105c405f36d2bafa381878fdc01f75b7b574291d44e95732a9109dab53c1a774b61dd54a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a0ee5fc0e098ae1bcc88c39d39093673

SHA1
2783ba3904ea064ff88dc1a00bfc0b68203ab907

SHA256
76bfee22d12fba4f46fd9c02f468ddde3a6bf9b4e6196394cd7b205678286136

SHA512
5b57d032c434069d3f53ce2abb8ca03360c48e9f0c9b3e4b04811127d352e23ee3b633aa2ed5d9795b3d7af62df33e96b889d4958841661594d0e8741322f8da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
11f2d78d72c7e0e0221d9031c571c9fa

SHA1
de1c8e0987124793887eb5812c18779407ef3a14

SHA256
48612cdff205abe7f98a13bd49ee12ed4b357861b4d3368f58250b36b2020f11

SHA512
6a4915b8270d81ac144faf507122bcf289679d003c251abc657d06ec1b3dafe2898ae4e663ace63cece3a7635f155818454c54689b27d694b505e247f46e9139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d6a0de243030cbb7d20e4bbf40058891

SHA1
e4feb3acdb27d9673577d33a022250fb517887e6

SHA256
41a4eada092edd456d6a406f6d3e441ab7baabee759c920553d4b9b71c260092

SHA512
ed85ff7271603aa70a23b46968c0509a7c54e43c3386a68e4daec226309a1fb682d9d5fba1cf75c6b1160e55c2b09a2fc0bf78b1d0d8cecf25a502352574b30f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
58c87a7ff3e927d51fb6f24bed76f953

SHA1
13612f4d54de7a964449b27129bb57e5f2c1df0c

SHA256
e78701598609aa51e913cb01fdc545790d4cdf146d32069a3132591d58f57adc

SHA512
4fd63495c886d8aeefbadaaa2453aac4a4237efc3efa4de1d82642f0e9c85af540834822828ee49853524b5e02af4076e49c1d35ddc24d504875030a1f7701b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4f15647164560ba31c3622eedcfac2a1

SHA1
80c33d149f69a4250bdd597aac0e86d0034ab941

SHA256
01c08917cdd2c343e64802ab20b28b6b701d2b63c2f01d39aaa400f001281397

SHA512
0e253218000b843a2342c490c4fb70256b7b3342f28bb736546e0d4574695732bf4f614b2f602ceae436ae0e561132bfe07bc081082e5a880505455e209dbaee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5e299ab0be8811796e170b0164cf3615

SHA1
8da72f59e8d135f9f25b019807aa28fd7ef1d4ea

SHA256
bb89602bb142515e9128bd3f9d095623d88822ce8a99be8627b66efeb46b600f

SHA512
bd9e29a292cff5d736df819ad441f7dbca777ecd4a83d90af4c425436b65f5c90b1a7045581dafe1267f5796e38d3394f1f60fec48be3f335a6038ec95e54da4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
97eacc6244c211a069fc89292a7e5fe0

SHA1
30b0cb7df626563a8dbca092348efaaffbe5a92b

SHA256
fd88cc9fd69f844505562c400816282c0014bb0b97c35c5862f1747642506261

SHA512
a09c290874ed38bacdc5155b582bc861bf28935fc2b23950b0739d8d59af8c071dada04b8878230844b12c00f0d1da17987036ebeafbc71b972e90f2a9553c20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a2aee253465942c3538bcd34ea8f1489

SHA1
287d012adf8f0def4347f136a153311365d8422b

SHA256
7427a3ce0f07bba051f1bbe4e3c76bbf3689a205c65805e736aaf7538da0bdde

SHA512
1d0a5aa85ab83fc4b8ba0a010776568abe401e7b1a5ec53986c19e27687117bdff815d4a2beff07a0fa0c1ffccb2e75b8a993830a587d45da948bd2e9ab2f301

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
92329b199df61f5171ae204507c2cd55

SHA1
c93803c6a4e55040ee3e681e105af882724486f9

SHA256
bb49279abf94c36bbdba7d9469f2eabe97fe24f30757f3632b2a26ba2c451c8a

SHA512
ef5a5723803ad4b68d71025ac5929465596eeae38b3e1352a6c985bbac194a5d425ad98b1276cb46b59dcf63aea7a69a1490098f5c57be2c1295bdf72d809c8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c6ce1bbb142d3275bcb368a499e4fddd

SHA1
54e2005a7dd001732c1238a3aec3cb8a05e2eeed

SHA256
5c33fa82e6eb49768a7bb7a58d81a17e85335c374db6c12ab151c99d3bf11de4

SHA512
7e5d82b95272630023ea137e055583c2c15ff88befc38ac41914ebb2ef35ddb7c38b6e0477ae5f555033cc36151f20a03b629f76a688b2e813fd263f25ca70b9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6dd4398a16ebd9a3d37f77c9b186b451

SHA1
55d7f9eb1f83cb1172071a6441291b5bff9f3eba

SHA256
2be401fce37a12300b37cd50052ddc695afb9a67ef2b8e4f4e67bd7ad7da258b

SHA512
503925bd1a66cd0511464f39566c555aa5ff577e9f768b4ed7606d9f1d2e929b3147c89fd5a611c8e068e3f34fc5bc6a6fa1b0dbfd227bb73cd2c3255892d8e4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d41208fca7d5ce3c46f803a6f731dcd8

SHA1
829e0e299e55bfe692516c075304491448db7740

SHA256
27f24b5db67ae210114a922d85c6224c3303a52fba5adc65d4d0b9b647e98237

SHA512
25788258a6d21984c542856698592ef46e4f3dda2992449a4681b0efb38246deff2826905a7be785c191ddb559f91f1e94b18ac1c1ccfe7b94f9764f4444c12e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
766ae71a65d32aba231cc69f69502352

SHA1
b6429c07657afb490857dd456375d416c7dff218

SHA256
da344d45698c6f27f8cabccb108fbb8ade20bc59f7488c0f8936a1533db7bd7c

SHA512
60e5c03a485cd7ca7d6f2e0a48326df1c2a3c917899d3cd37551858b367b2688b105f27117693aa1e73125836bde35c1ede4a51ffbfe6ee80ea76b791367e9b4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
38b8e2601c318437562882356183cb6a

SHA1
67fc7eedd36adac24412c7d75c8474a543f070d2

SHA256
4823711f51ffac199e8cf667512cc985baafebfc94de14bbec687ff35da40da9

SHA512
9f2d9ebe95201246de935b5ed7153d429317e809aad7a88df31ecf66c78bfaaaae6f667d4c8d709f121c38dcd987a4100404161c716e616b6525105c48de0814

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
619ff0c6ecb7d70906b2908e6da1a4a0

SHA1
346452f0fbd47952fb8d0079f9885dad021cf22d

SHA256
78909948e94dc8367f851aa11f3e396c0b8a30e2d4c5a7155a501b5b1b1d50ed

SHA512
7477e2dd4d53fb0cdfc5966ac7611811902ee2f06eef198e6e7f62c07ad72f974aa08acaedd7d9cf83400711016882d8b5d7c56328c0f4550d83a01789096708

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e579bc9f6bbac9d54748e21b071e88b7

SHA1
9cfe1ca548e55e9b8c3f1a553257a93eda79e0a2

SHA256
e8d591683f89c5e1deb4fe4ff451cb7246e18b417c5461338dba2d0309744d6d

SHA512
3e1751e87a4db458e5873a2a679168691d0d84089b4b6a8e6a31f5cbc00dd0afaa1df254c94cff775afea7beb21344986c0dd8e9559c4d51c4c5d88f7232de37

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a0d7764716d2a3c299b45b4aa566cfd0

SHA1
8ea347a799c7cb870bca522fb61a4114529715f8

SHA256
166ccff89fb4485ff958e1250b445d5c0600981f3784a0583b99fe2476ba46de

SHA512
fe5ccc4bf3c1e87e41ccedd3fe3107eccc01cee375e9229c288d358a38b260332b5e4558e37c7000ac521397f3318035b35bf789cb925d22f025b2866f5d32c6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1654b043df9b65633caaeed2c5d0f9dd

SHA1
828dad218ecf00fce76608e3bf7bdb239395f8be

SHA256
82031dcadf5119157933b9d5e1764bf66f1d33a57064374a78a971a28af1f1e2

SHA512
f6e743dfd1755be346a88d6249dbd38c193364bcdc879db12e75228f3ae14f898fb8ee1018ad16ff3efdfe9b18a86d83d9efd40a89764cf67ea5352895f22e7b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d2d02943662cd33238d8c31df3058865

SHA1
0fdd379ee53b00d922373092df83c9beaab3b8ed

SHA256
226fc55b959279ad1c0199b0766e12c0a33b111c11e12303b4b77c0af2145d26

SHA512
9986c73ba7705895596f66fb03aa6c80cbd18c855c3020ee35e0bbc99171505aa250a9041d2fefd7bfe6e719e1c124a9a40cb156984d64af4be9ae0ca94059aa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
af5cc332d711bd5be0d2f21e4f4601d5

SHA1
7b3878cc83fc0c262a37afc65e46723d2000f025

SHA256
9bb1265fd447ee0ecacb09626d37189b02508149e27446f1ed705c1b2c20247a

SHA512
dbac0e111cc4c15d0739ae1ad0823de78bc71dbe9cf98358c89ed08a46966a9859fd3bcc732d7c497607b29c730a2f3f32c44ce7724c17ad4a23bb2171c40223

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
253493b113ac678b53604623fdda8fdb

SHA1
4d6eb84cff963a58e81fb7532a32b59f55253046

SHA256
e7f1d596fc08ee30404d9593d4ff8119fa53c86c91a2c02807cb410d7cc6f906

SHA512
b3cff3fa3113c180117821201ef3cc45c6f36dbbb907dffea3b499c93d93548f2d89f9b1e7bd3940a0951672919158fcb74bbfb2ce60fb1e2b911e66e29ef237

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
01d6be6ed76718dce6ab234673568412

SHA1
e5c4ad40b78fe6e696d35d4cacd32bdd66b935d6

SHA256
b18627a45792b3601dc16c64e6aea3386f0fd6751bf67b3f605d39056ffacd70

SHA512
720f8801e01e296eb95a9d91ad45563f0c39c6e6d5bc3000c2e271503f650565d1f44939ccea5acbe9ac75edae404a8720a57340276c2bc19c61c4813a55fa77

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1dea08ac04168ad900f723e9b8292fd2

SHA1
cae39c478a64891cbe56d40b943df14b7898ef53

SHA256
3eaebed7e3e83cd74eb167adc000250a750142684137e07c93143e46123d2d97

SHA512
2b2a5f60acf112c5f0baf97a824e0b6642f69dec448af9b4fb4a484dae112422eda242a989d88658c5cafb479e7cc717b614040ea9cc1d8f502cc34d4c64adf2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
887bb5a33b795e3af62afc4b0562bb5c

SHA1
541cc772ccc60aa26441fa696b5c9de22b2e32d2

SHA256
5c578c05bcd95fd86233d696d85735d420ddacdb87fb011f4301bc13936dc342

SHA512
79898c4edffa41c864e1d9b18b180d098b5c7e4d4587d5b21b4435387c9c0a265cfdc8027d6727b18237fa8e0d8945dfb396782db5aeb7edc6f6ae539984550c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
73372e36841b719909b467491653e2a2

SHA1
9f5d82136c09a882e21d61aabeec8f142edafd7a

SHA256
210462c11ee1349030783c30f43695bc268e1cbefc99ecc49f00e055f8568615

SHA512
1a3e0ffc1ce8c0f525a029fd3b04339713b843778cab2d84f8a6915328072b8d5c43b22bd15d17290108650eb9ee0e0e41e5eaece0ee6f5813b329197581b3d8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a00cb22434b328ade6fd5cb25413533c

SHA1
48c6a3e19ab755512fd051d825257ad5e566bf9a

SHA256
b8d8180a5684a9008aaa74e9e0dfcb55c618a82910895dc3e93505451adaa1b3

SHA512
0f6153a9f2a300dba6077bf2367dfe92a6e0b556eae7461aa963ab313041b4ca38549674cf3ad2889d060a57b36749a8bc080c1d92acf97aebcab19477c0845b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
11d39ba599f63bdca036ef1972abf033

SHA1
5a875afa33467961d612cbcdcd828e88bf3bed2d

SHA256
8bddee0c82b8316db26f016be749f319df7aacff82344c51307e298e0e4f253a

SHA512
3e14375c64ed42e0d37da1e6ba3178f2aa43e314a4e272a5fcffba5901de8c02009fae565a4feee130132924d3f1c304c52adfe31a5a5707b45220a87e0d598c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dc3d9e429e89a999b08b1dd9489f4c3b

SHA1
d0e50f83ab13db0492316b0896608e46bda6b413

SHA256
d066287bfaf688c33baf4c6643c1d058a9a344755d5b124be1911f80871d022d

SHA512
405ea0322a90c7e1e4a248901814f5662090ec4272aa1d5718579f4b40941b6d282d25996d54b99647c222a9fbcd02317dffae6dc31171ffa617357c552de1fe

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
745a89dfe6a8c5a6c5b76e8374cc892d

SHA1
f9caf76e34c05897176b8d3a80e5eae0747fb777

SHA256
67754e6cebf7ed21ad868c228fdb9df053c9c691c029505882f00d8c4a42b17d

SHA512
ee7bf4a0420031b78163d8b035611b059e99e08bf5fd35f6087f3832905557cd660faea2477a8db190e2b8b4f0cb1c6e8f969d5f500d954196fc547381911b75

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
19e7f7e35fc2eed4bb61c800141bc0f3

SHA1
8b0fb46424c0d4d1543683a5595e06c499f6ae6c

SHA256
bb024a63d8f2ae97f84f38b83df03d2ebbd9ed76e4029e156919584d058265e2

SHA512
403400297aa02867fc05b9d7b1e6f723769b2f76a5a0a0e0e6eeb58f66c8e2e5a9d5a2cc057fcb86746b6e476cbb07146879c6a46bd5811ea22e5dd6f485efcf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e19923d03c150f10c53baf1d8fba678d

SHA1
e8ee14f19f38613737ae2d7ae801af9f6fff1fa0

SHA256
d3e15915be7f0157eb2399ba17af0260be83a5904f91f64dbe7c0399a6d3e74c

SHA512
a9aade0942dfb424485c7b72d609bc99686e6652a586c13782e731147088408766612687e1b0087fb894827949c507b60efa4f0f917cdcbe713d8f4b5127ed0c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5997b931274b9e95f2d161a3f22dae34

SHA1
4fa191636f3c1adf5788270c25828a4a6e1b13e4

SHA256
9e06e212abdf2776bc910994bfc4ef1e2fea5d458495c0dd0a6c119f26e58680

SHA512
68e8272b17af6fcc50caa627b43d58e42f1af60ae91f1ec527a7922bcabbbc2e6fe6df81f2ec276dbb638c8fc4fab1a1095444798fa6d0607089e25f9f3768df

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2e71256985e9335a16350bee547a5dc4

SHA1
e6bf988d92b1928acf02c1aeb979366932526036

SHA256
b177c3781db93b24708af76455fe1d6f59f8fe985eea011edc3c9540b66577ad

SHA512
b7980debfc67972515df758bdb6494897c99d4dcb5623cdbcd99c856f70c34ef8ff068104153699b4ba5b7603be0d3ea7dff574d1f1994d847d36dacfcdf373d

Download Submit
memory/32-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/32-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/32-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/32-81-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/372-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/372-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/372-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/372-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/908-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/908-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/952-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/952-480-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/964-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/964-484-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1176-481-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1176-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1332-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1332-90-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1332-89-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1332-96-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1696-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1852-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1852-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1888-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2268-33-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2268-39-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2268-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2268-42-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2288-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2288-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2324-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2324-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2324-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2332-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2332-106-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2332-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2332-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2448-485-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2448-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2460-7-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2460-370-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2460-1-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2460-88-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2460-369-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2460-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2476-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2476-479-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2484-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2484-487-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2936-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2936-66-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2936-55-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2936-61-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2936-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3612-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3612-486-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4224-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4224-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4288-475-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4288-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4424-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4424-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4424-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download