2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
Size

625KB
MD5

bf7692481eaa30bd200577e14062370e
SHA1

fe8437f80472356ad57754a7d3969895b236094f
SHA256

2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe
SHA512

0378e4607834e98bd0e6c01218807c01be9d3ab1ea8da45a925e182721902f9a8e844489dd07b33f310b61cfd200e7d901c89dc9a5246a57a0d65d938b1a0412
SSDEEP

12288:22UWRPelh8t14F4YfDY+o7KO68G2G9Ih40cjs31K6fq+hTR9PyuV5xFpQo:TZRmlh8t0D+7y8G2G9yL0cMoThTR9PyU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2652	alg.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
4956	fxssvc.exe
1988	elevation_service.exe
2484	elevation_service.exe
2524	maintenanceservice.exe
2544	msdtc.exe
3652	OSE.EXE
2292	PerceptionSimulationService.exe
1164	perfhost.exe
4680	locator.exe
3876	SensorDataService.exe
1864	snmptrap.exe
4596	spectrum.exe
3056	ssh-agent.exe
4032	TieringEngineService.exe
3044	AgentService.exe
1336	vds.exe
2092	vssvc.exe
856	wbengine.exe
4072	WmiApSrv.exe
3480	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\System32\vds.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eefdefcf4ba38143.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{939A4C0B-9326-4B5C-9760-544EC9BBB40C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001df3694e81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000097a4c81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000615a694c81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa6b7c4c81cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e57884c81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f81a714e81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fb66e4e81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084e1914c81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019bb6b4c81cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4d84b4d81cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1988	elevation_service.exe
1988	elevation_service.exe
1988	elevation_service.exe
1988	elevation_service.exe
1988	elevation_service.exe
1988	elevation_service.exe
1988	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4436	2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
Token: SeAuditPrivilege	4956	fxssvc.exe
Token: SeRestorePrivilege	4032	TieringEngineService.exe
Token: SeManageVolumePrivilege	4032	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3044	AgentService.exe
Token: SeBackupPrivilege	2092	vssvc.exe
Token: SeRestorePrivilege	2092	vssvc.exe
Token: SeAuditPrivilege	2092	vssvc.exe
Token: SeBackupPrivilege	856	wbengine.exe
Token: SeRestorePrivilege	856	wbengine.exe
Token: SeSecurityPrivilege	856	wbengine.exe
Token: 33	3480	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeDebugPrivilege	1908	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1988	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4644	3480	SearchIndexer.exe	112
PID 3480 wrote to memory of 4644	3480	SearchIndexer.exe	112
PID 3480 wrote to memory of 3368	3480	SearchIndexer.exe	113
PID 3480 wrote to memory of 3368	3480	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe
"C:\Users\Admin\AppData\Local\Temp\2456ec177a3cba08a5127cbf04cab7278672be1d007d68e6904d758643a8d9fe.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3300

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3876

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4596

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4652

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4644
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c8c7d70b934e9e1b1ed0ebe4dc423a40

SHA1
88fb4fe52c4030ab17570bb20175fb31d85af471

SHA256
6b2b1b198df080a00d006e1be48e83b7f8ccfbeea8a653147de6d8e8909b5d75

SHA512
a533b48f74395a579c3c3ccbdf7ed60a98a2b90b374c8eafdf9d70d06243a9d9b34cd3d0ee7ff9b1bcd25b4bd972f50d9a634bc4cec78e15ab9cacc1ae7298e3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
8873850952729104f0ff02e227f9b400

SHA1
2412a8819b52778fe66d26a929f31c5b82139aa1

SHA256
965aeeef2e2d73bacb4c7d8ebed7273491f0c552443311ae2ee109e8370f1e1d

SHA512
60ff9d584d95d8d6ec565a45ea4f14d7b573d0adc65fbefb3001fbc4d8db8d5ab4a28242782729c7576cb76b9ab2c6bcc3b15a0061ffcc9736f0bab2b882d95e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
79e89eb149f68e4ceb589ebca6214a15

SHA1
8eb2237bd7fc7f5f11c5c1f75a604ca23c3574d0

SHA256
82fe5a2be382a99b474f911b0dedf37cdd9bf1ca5a17ee1dc86d329394f93c04

SHA512
91636587cf0f26132dddc4885cdceaf00ac2121be41d273f2719abf3099089c0fc565045e5c3955c0a106e7657b22d8fff8d0555958d9d1680690e93548de572

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9c6da3a478742862c6a87c98e2f127af

SHA1
30b959f1db0e32678b79585b05f61915384633ff

SHA256
e0e0f6b3e81d4595731e3ec28a847186c1146f9af96904b49cd2267a02ab30be

SHA512
0c0dba13dee8ee4206e0e91980c3baf8f4328f85eb4927e14881a0dd1c231cc2adb065461e1c166835b7846129045fd06457e2a53d40f0446567e8d935e90d3a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
473d25be44f98fe6ed33f8cfaa4acaca

SHA1
48253c4b10c1d0c2c5783770f4378529dd980550

SHA256
ca5e6b37b9de7178a942d082b90d661013262e3f35ff43d1fe9723e21920d374

SHA512
fa9fd24e5a39264d245b98c567c37338dc00522693fad270b41d6128d28b6e69b1cbe236b21c1a2c68da7f2fb7f4cdf67dc6cb81e170e5024985d4bef2817ead

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
64ce3972f949c34c673b77b7cb7da62c

SHA1
6ccedeff314d828b4ff5ec835ba4568e6bd3f5ca

SHA256
2152197e0351727c8f724721d63c2b735e20fe8902ff36980e93fec794a20594

SHA512
aa0b07ce9b7cd050c36197e24137d2407e93735f78bb11bd2f90b4ab474f02fc3fe11aeb40eef1f72f6ad774a2c1213ff395ba0c78cfe73be26b03288c284758

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
70b35eef98577b0ed40ef8a6e56617fe

SHA1
34cf57959e5d6c5cd16923e9aac08d1c8ba6e788

SHA256
c2748a7c4e5883b14d6c5ea57b2b41f9d627ddf7b70df10fd3cf6fd96f20db9a

SHA512
beac835f0436a3fde3d3ad13d6afab6c3c2149436fe5a0b79e51ad83e36761c47263d2fd3d89c920b35dca51b1403735cfd1a6ccbc6a4ce9bfc6887ed5d02115

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8e1ab00cf3e610828bc017716b39f1c8

SHA1
437cc7a64349840a4f58d558501b494b40d1af06

SHA256
8ac10d1cb6ef6a131b4baca5a8d18f265a58f16cc00b3da9c56f99732b79d955

SHA512
f3562817083202041ecbf563f7bca7b935981c4719b43025afbb1ae239c9640e77bfba36dae4aa3c126e107130f9f3d59bc98b8f94a8a1998d3e603efae3b833

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ca6bc26aa4911cd67fdf9f9f0dc4d1a4

SHA1
88949752dae3906246da1e2c7b4ae4f6ed172fff

SHA256
fdd2842baf23576abb7091a19482b3b5a1b9cc19a11b5ddb721d7494042b1493

SHA512
714fd7c0b216577444a08762450c4e549db28feb49f027d2b7c8599bf3513f0e046603aa8a8c04c96d8fac951464ef44d9c3eb3ba6019d0ffadb00d80f92deef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f0a7ba9bef7d898c1116cb3260950cba

SHA1
d6472ad0982748b9509112b50c4e095db693b343

SHA256
7371b08d9c923a22cfdd964d3d3c48b6b91f65719545c49baf9eab27a5b06242

SHA512
db4b627acb6c95ea79095b6a6a6dcbff277daa58f75b86039677c93bb094afc74b68d1aeeb92e8dda634cbc9bece51e172215107445d76a37b99de02180d98c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bd3c6393c958abd8265b86b58246f489

SHA1
9ca232f5762ebbd488c36b538d5b0863231b3963

SHA256
90428ad527707767d53aedc9483a94b9a9953da9f5ec580f3c584d83b15d52cf

SHA512
681e3599c91f1d0f697ca1d1a2556f3ba0a0d5984873b1ca43a499b586a65c5ab764fb1b14e9fac144384980cad553667ab5134dda86fc0b331eadfa4dec9584

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a2a0f051c478433c87d312d7d5817d84

SHA1
75dd4016e6e59e5496afc2e3c7035faaecbcbf55

SHA256
d0bf7822f81ce5ab66ce61920b37f1e1e10e77fb7d6314a7510a90b81ad640a4

SHA512
0909ee2684c26658bd8491ad1f55a8a42a1d78ffbc4bc36753003073ca47cba5805652036caa883ad6688a764a1bbb5090107909f6fc594902faaa6b1291442f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
44f5ab79393eb90968dea579671c1e1a

SHA1
0da7f41256da1e8f05134e6f70f8d19a72f0e3f8

SHA256
3be2924a3b20e4d95868bbc7d463a81992cc94692284a0ad9073a9499f4d097a

SHA512
dc0752a9e4ad881142cdfa073d3c24a0d38421c868b47efbfa44c4633d135bda53aec3a2d4104701f9ab620483953609e536291f9a573eb889a1f6d798008e8c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
38bffcf9b6a4ec0789a44970ab57e885

SHA1
c09fd99f5c813ff5c423af082aff0f1149af14cf

SHA256
a2df88c5bd653995bdf0356ff5fe4d6463ed858d83745a9d3071f4bdf5ef5804

SHA512
971845d45e7a14d7c761cde3406de49db1bacffa2959d7fba46a83b19ca07c459ebe91a4d0075f6cd1f04270ac9664e09ec46ccfeac5f83d9b2a08bb154aaae4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9aae0c6c9d1997ab09332d272232a83d

SHA1
cbda6d95cf61eb8ed70befdd379d1d480c4cb491

SHA256
4b7071b56357ad9014fd89f716e44dd89dd3fab0e1d1a9e18d931435944cd1ca

SHA512
2697d6bb46990b886ca19d02d6b70657945fd4ebc2704c4ab78462629b716df34ed7cd3c080cc15ce506721b72b6c496c80ca928de9aa9a61ddbce62132d8b8c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
28873c615b4b373b39568828c63f1b89

SHA1
e0c31a18dff9301b771daf4a6f27de28e96aa266

SHA256
c89c857d1e408cf16e5b9bec5737fafa8f9659abebef63186fd9131c2d2fbd29

SHA512
328852e66696e5cf9649093501d86fa32b723af9bff98dc1f9176713c2ab8e159c385adf9867e12a90c4a186ccd9c05f925af8c41fafea7ee72d292d3a76ccc6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a9f7a10e319ddad5d39805f40b15eb23

SHA1
eb00066a4c8d2a0f8d58336db1f2c821da238c71

SHA256
06269339e69c19a2b3767b5a46ae886ab026495ddc60226389dca84736e28256

SHA512
f7d4d105a50b975dd9687523d0f998d67c1e7c9602d55946a10bfb00b2a6f02748f29afff82a20664b5ec16555d29937d5ea78ae1307f65ff0d30035770e64c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fe8789658f486355faf3343a4add5182

SHA1
87f806fe966f39aaf5aa1b83ea3ba2aec6cceb67

SHA256
0532d7639c20a8fa607ccf5f6227a0fcb268826a4fd6235ec447c214ecceec2f

SHA512
c3697a984a139f7a64134803775083b09ac797f511d3c54f033e2fe307e0fa9b578280cb91f2024c3bdac64b196ea640421768db174e61ea8a415fbdc314c379

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6ad7bde4b96613203a23c80d5f34b3d4

SHA1
bc30daf24b3fd68ad9ff2df3766a7332176afe1c

SHA256
2d0077ddfd58d446b4a38b73a5183ce45609c5a81350fa5f5e076e2d826ecd83

SHA512
708f711ff0db95c94bbc363c30ce81a397a82bb00ccbf54367cc32ca258ea2faf6b9b78ee9e671c93b1940a691fec09e2741cdde269d43d95159ff5316892bc8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c7ebc8a8565470dcbbbd46580757d37e

SHA1
4d37126210d014caa7fd0feb621d883c37e47558

SHA256
a20e0b2357c3622688d5e7d076dbabfe9c9ad97b5b73d142f1173aef43b46024

SHA512
00cf6a0b78d91f3f49e1de3da8f957642b085b5bcc8375791cf9cc26f0a4a8bed7e5fe9bf602807ca6056bd6f897d22ecbb84dd063829381853b22df8afdb1da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e26289f89f895a2961f1c2c14e86768c

SHA1
90c2bb02b9abffd59d4c2e8a3472ffa7260239a5

SHA256
3d8b4f92b474cdec3361bd444db1e5b7cb74fccc07004020b8d8d1ffe99d57ca

SHA512
5510843b67cde7b65a239ada639a47375151ed71530ab25a532b572f9debc0f16eacf3bf4e10869b8357190c0ced89dd9df0ed47f0f557e23f6ed780927aa6fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c9da614119e0f7753942f422134c55a2

SHA1
245f264de353f986568826d9f656bdfe7f8f312f

SHA256
ac8717ac72a6814464ffec3171684288ed05051d3b2ffe140e7af70d41fac368

SHA512
4982b95244e6e52c7a5ca4ef2bb2533fa94eb0267aa442c4684678b1d79e2b9897e77c9bbe2279b3c5fc403ff16fc053bde63a17409204fd97468971465ac6ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2877e53b0b11ef58c3c0bc16e1421475

SHA1
c30d3299e9ca970bee36dde99812f7a71ef83622

SHA256
53d150993f6ebd32641410a5c9584a543132080bdf86c4af82b5ff782fadee45

SHA512
472e27906c38be28bfbd4db20dba6e4f0de0b361670ebaa700248b0ad40226912edc6a582eff50a8c99ceb8347b697eae73bb0361d9ac501e00888a31c0296eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ea9fe5e5190f0baa818dfaf07eaa251e

SHA1
c08d4d0f04020045e5f6353674db3b4eb8c23728

SHA256
dd3dcbd55bf7a0d8b97fc867afef6dda747796d494d50a4f4d84e0bf6abe67ef

SHA512
839846fe96038c23f2034d1df4717e169dbda8ee256ddfd5e1a5945f9b80e03fd9cc75409db48dd69b873fe732ca0a1a3b5897e9aa8ca6a79caf9f815ae78952

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
373f3470f840b38a0d45342e7c9080f6

SHA1
612e18ac58379de6782aeb221b15d057922404bd

SHA256
5c5182873c49df7b1947ecf471fb5eab4c04f0fdbf6d919d22e40592b7b5de04

SHA512
40a43744697fa59040a8a2e60ee40a27af99f4c18df4814a6f154a2d7b60d204169b4dd3dd7507bdf320be8b88f799a3ba0b2c98e73d1725cc0d86167ab64edf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
004d26c29e42c30567ba6cb0653ebd61

SHA1
c7cacc4e814a30d7a7d0450155e49924e566dc0b

SHA256
4e06fbf50ea1d18a830f680ec4c45784a05041cf3e467dd8be37736aa7fec521

SHA512
897f78f2e47e1f86d107854f4bbb48ac628ad72a846e0daaffc7076949c0d246d06c2224dc6e4af55bb9172aa9ae8056ccd0b3547c4e86be5b78f5f06266ce96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4bce9dce72232fbd4f88e2dc410bfdd7

SHA1
e0b93b37ef03278bf4a5ec83085689b92a6bb247

SHA256
a0ac354c5be6baf27383974ed4f02fbb11a66781f6a1f70ac99c1620a85972fc

SHA512
a54a03bb4b0bdc4e328e0733a311d5e6b520522ad4ce3517f89869d586b0d9a0d051044556fce9197cc78137e915d6edacedf6816e5ff7ae88198616c651a745

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4d75b931016ed50e5a1e684b8445f19d

SHA1
2b06b6891ca55ea41a18be959d619246a9c32495

SHA256
490faab35937ed7c6f8ea654ffeb7caa1b0bfcb58f44606c4443272174342c84

SHA512
3dd77ba3e07d2e12a866efc54afb60af51d80535e4c6c639508a811e076bc41199e18b72ce90f005f3c250050d534b40bd39340021dbce6592db592342b9127b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
afa219156b8efe2f93431aa6cd408805

SHA1
d1f27431a30b1348d728fca257a96b73f6c45440

SHA256
342ef071e2d0758cc39f431d1a896f3eeb53e7979e69408385d13eb04d0e2a02

SHA512
732b34ce273b80d26448389b2358527557f9820306bc1eea96b891a933abd8c00a26a426083f490d3e33439b3355ed64eb3e7b89d1ac9e45dfb3887265e39abb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d761574e94c6e8d346057e591189261a

SHA1
43d40e14f04796d61b23981cd59a0b96da53d32d

SHA256
96c21f6ea8f3867d0aa15ec5eb5fd0bb917973649f7c11787d798cca7a84ed78

SHA512
acb7bb9d98e7d9b0b9f8c3f89eac91f8b1fdcf47baa07b7c439275ffce18a84571afefbcde315f85b8467af4cc453df7b7a42273073254c9b5bd9dbee22a8fb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
db01cd45c045078399a1804f7ae0daa9

SHA1
52eb378730c11422d008bbc204dbcb52bdc35d50

SHA256
c1514277b678e7e4abba388a610d4c31adf08c955ac1220e8ce03a31d30d2892

SHA512
8417ae6fa83a113bd15755f166f0c2c42c4cbdb4278dd14c1d7ddec7fd1dbbc2724f987d64d0c36142f496591d29faa88380905661a8e4908f3090284b411126

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
38c047c1667625f1e1221687b241c99f

SHA1
83ec3eecf7716489649eedc69367dab0a5d37d9d

SHA256
a68bc471b6128946df2c6495382acd544c80989cf06470ebbdb6ac7dfdc43798

SHA512
568b5f8652d10a544c2d91ee50453e97840664c94ded5ed43f64944ad0fa63a000d8b579cb828db2c6156730e54af222ea4aa2c83221247dab302bd4d84126b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
59e1c1bdba6301a6184aebe720bc2a27

SHA1
e4af1336e244e3089fb7fdfea1e0914b3b414ddd

SHA256
2ecfbf9a0e1197b8544939664c7e5d51a6b173cef13122b63739eeb7e4bfe4be

SHA512
5e58d90d8889e047e4ea1a6df214b1d12cdaf9baed7c35fd0589658be2d0561e3a21bfc56e34835aee0c21adc5a143e06cc9f0ab21f67ad472bfc6cfb81ee642

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a733ade49e03856f28af9a3b789c95e4

SHA1
e7ab173286e1112433e664e4673d148913491893

SHA256
c494273ba91c2180197e2fbbb11639703b0fa1012b78e2237e20e9ef2cd41d9d

SHA512
244f5f283a3d254106f5797c8c31762dd59ee29da898ae60fc1eb0a64a3ee5f85f1b41ad3f58ae906355519822b073bf83fe8b11fc4d08a0d204aa5aeba76061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b2e2a04adeb13fcdabd97da0084f9e8f

SHA1
6ecd3482277613016ce9509aab2823bbabe91e26

SHA256
f4ebe4b176fe78806eb0014674a42929f4db2ad9a6e02662ffef7d82109cfc37

SHA512
8fc80d55a942d54a91736fa882886b9599306160dcf00569024c8804e3256c07ff1f5e6319a98b554e68144892b7ba09a1ec1da0186fd928daf8b99c728a9ac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
af6781930004f8a6626e55c47f778c3c

SHA1
93fb5f8b591821707926e87b9e860cade511b09b

SHA256
46414afa6c0ac28f9295d24d27f0d46f21ddc40908671e412f416f75182fabbb

SHA512
858899686612768543cff014b2d0832e3311293dbc959f013d4bb0805229bf523253e4c1eefd677d0139f08f3657bb7f5845edf48db5d75a62405a359127641c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3b08383f6ecf06ae542b152cd160abc7

SHA1
f0244b15337201c3c9e4007d965f6e3ac8c73620

SHA256
c3d868a1d26fba8a173306f8b51bb6b6fa72ffbf83e0b3f42eda790279b97894

SHA512
1dbd29a52e611279d50ded5cec0830d8ef7a5c02e6a4ae0b0803696b7e9faeee66a63b96efd857921fb9d68c03514306c88a4b72ee15e98361d27497a5f177be

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cb243aedbc4420426dddb17831e4e019

SHA1
623b7e5758b773d88522b1a38d5c1626da48322c

SHA256
6e62ddcc138259f76031901f361bfb417eb03b119a62565a0d7379a093d19493

SHA512
654033a1ff57de38d42419acf5ad3b539dfbab2bb9463bd29dd1c62b89ef57e47cea9bf0c85d79615fb1cb5c3bd5f26145192361a585320d6d8959e70b1c7030

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7167d77bd21c1af0f0f8d22eeb72c517

SHA1
44b839c45055f6b2bd02e6253dac2cbddfc5f654

SHA256
10350bfd675c277a0dec7feb9ec82d59a6babb01315e23f82b6ed007bcc2e29b

SHA512
d73771370ad75425d130a258e1bf8cd3dcf2af34a521ecd140b6f59c74f3130157c2e3447e3b90bbd6675d36fabfe33ace72a0a48ffdcefd229ea7e4606e7550

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fb27c457d9af94e46dff33aca459eb57

SHA1
bbf9ea000958d2dc947c6b3d1b1a734e0d0089a0

SHA256
96e314944fa2078c966388b0f2a8c05852d2cc5c08beb4fbf676e38a31820bbc

SHA512
cd05dc0f9c1120237366d3ff80dd641d4ed0dfc113a0e726dc8a0b42202d8b2a38de73123e9c308cdc645ce87715d35f3b66d7df15d4ae528c64e8a7785813c9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2f13202a18f4e2a0eeaeec4066a4a949

SHA1
50047eb16859dab87af544f9775af8c1b69444cf

SHA256
4bbc076f8a8ad569043d6ccf6b7bfad149d087c7d9127106bd45130efc2121b5

SHA512
0e94e913bd8f6da274002520a3d13d16489ec0caa2124c03820485a6febae42a045dabf61e69172761872231d99ef1e2d1c9a944937075316523f9acbe3b9ddc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ad04ee31c9962e0a0068d82f9673dad6

SHA1
3c7ee4c4585db60f9e1f922df6a92c7f1383f11f

SHA256
5ec92140e403148328e8a121457d02b8254e79369107113b6af0492bef9f693d

SHA512
51295b3badaa114b42b535b2c05a20076c54d9bfaa58cee4c747b7093800c92d39739c019fc63b0f5e889bf0e34ba5fb62abdbf11223db900414bbb378d52745

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d3d489b56fe0a1c9e3ffac192467aff9

SHA1
b7b4fd6c7ac762ede24e607bed80d39238162ed4

SHA256
151013a84eaa4b6c0b2cbdcebd8ac52bed0ad0c10e835026f448653bc93a82ef

SHA512
dbdeb5862a6012efd60179a4d13a6120369a1e45211c421f571d451792ac10dd0c5025c673452b276728629cb72e5fdcc7b569d1557f0bd0144ae228844b8378

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3d9c85aa1c32745b5c0be4c7a8ee5801

SHA1
1a27b31e864c2ff3f273be078dc2fc13d572f815

SHA256
2c0cfd902b16481738d95e7bb271a21875c31801cdc8a413aacc37016947468f

SHA512
8cdf26a78d79dca7b3b37691c4339f6ea6c4dc626f6a63e2a4b42e25edf3883302dc599b5a72743fc1712c099f3ec6b8d69669198c16ad916baa4f6fdf414f2c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
89b9d44cf6dc8e5e4d221c9e6d509d21

SHA1
70f185986ef83794e455205ad8f289a869044ca6

SHA256
481d75641788dcda0d6b462517d06d75dc748bf6ed7b9b93776386d727862104

SHA512
d193e6b57a6bb0efdd8c94f497a01784bef83b0df5f862c06d6f2f1f73c64dda1a2ecb7ea8e857fe076fa71f47ada283be0615883344854caaedb3ef3919aa70

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4537e5adca37349cebaddddae02b5833

SHA1
b3904e086229ed8053e7170be9b44ef6f8ad35e4

SHA256
36c1bde36972e238b1feda006be76718b229ae70508b9f6cfd2a014e937456d7

SHA512
8fb8849bbe737c99dcc808393c8aa750390f3d5b0a4ee1a716ce42565a4f2541df0753ace1febb1b98250b15cc5bb8adc5b171e760ff00d7b47ca51a656a25ff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6a5fe60bf835be48b0bd754d24273737

SHA1
5b6267dacd5a9af06363851c5428235f60c4d93a

SHA256
3a5b6bb8021bcb6cc364fba5f8c48a1107429ac7aa75c0072f7e67ce02567040

SHA512
6da180e9eee17920c96d0e1ac35e27eb595fde8cf08c667903a123deff7eb50f8e07954813b826953fc1d54d7a3be2094a897b7e30e66301dcf0517bfb0106de

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b5b5ab6bb76c04dc3c422674f39923b3

SHA1
fde761476f5bee5b3a36410bf33d521898ba0f26

SHA256
d026763d549620b8baa2d09daf8ba81eadb6600bd249898992e1f48a08f705af

SHA512
841c3422b0e454edf8385df9c4f25bb50d22495fa237cd4c969ac33f1165ca8db49727be8a4ee8837ecbaeacaeddec31b87e7662805ad4d3bafc80ac11053013

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
434c539f0a04a0888b2828462fb29afa

SHA1
8a5254b7c953357a4d58fa95bd42ce93df101681

SHA256
2b35c72be1ac4805f2aee4138d9e83f5cd1bba609d79b3582ed67269c851290f

SHA512
ce3875be83fa12b799b332f3496d075254435415a94915817ac1002794a2c4993643e101f978b2f20963d7ef77424757457aa1df2298fcfcd240fc5298a53338

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f723db93f6941719fffe151cb51ab81f

SHA1
febf4c4dd65e3fe1f8943a84625e71fd9264ddd0

SHA256
3a9dbf83e488b60086793872a3425e054f3149ec8db9e8f1c3a20a78548a426d

SHA512
44319900f5befa48e88b514ec14505772d21953812995cf800db1762c822e105b5e3f422358d9faf6c539ae0f00cbcedd2dac3287a9a269453f5e41c1ce3e16f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
966ee7dad368598d42dbf4a44a849a5a

SHA1
0d9cde21c6106288b1a67c1b0198945c8527a489

SHA256
d2b59f7c47e8a579ae46d4e277a636edf5f1a1ae981f422c07aee36cbc9c475f

SHA512
2882ebbfe41b6322595aba2e2209e9e6cd2d4fea234fd6cd9edd2b0f95a6209feec4f8541daec0e782e196ebcad93124296e60eda6b219ad8b5f963e34034921

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
79d33377a8fc83831c56841b60cf4313

SHA1
09c4185be0629ed48a611ff963cb98966b006cf0

SHA256
99fcc3a591d8a4e562049fd261a648239abedeee26d10590c0b62804868a9b02

SHA512
ab4f9b1b400a21dff1af0b21de717f5e6b9ea848401b38884961e1b58059098691700c8bb48bb84047d50b27940e3a8f93e6be7b80c3974c4630d9134cbad6e4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ff1bb20fcbfdd3fc754f34fe79a4735a

SHA1
04b4b852f022c54de2d07fb9785cd1f82181ec06

SHA256
0ad6d29bb20595cbc276e977203ce9e706c2f80a13242dd7d89b99966a9da97a

SHA512
11e8a233e288776ee33871f5100c8dd61bd7ed5f656083b21903950410610a664703242138691f1dc9fbcf0559f55251d6d02e1e6860cd827203b08accd8f342

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
bd600aeff2ae807777b9e3974a9275b1

SHA1
55fed50deecb8a677adb275a03591ada7895e7fd

SHA256
0fdfd9a17aa990f501526517bfe5b06754687c22c0f7458aa0aa970097280416

SHA512
b77f351ba2403a9a73cb41c472284edae7b1e7cd407c57aba98690d62039e3eff3e178fc7a3c51ea587db98192fe66fd4f1959f2de2f1cea54270fd213c57400

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4a156414b94f5263a1650792f72c0d49

SHA1
af8a817b75bc8baea1b5c47c49758b0850976c6a

SHA256
5fffc49d85282a5fb6680a77ace5297bc743a37cfd6d4708d3752ebd8ee9bd89

SHA512
8328a6770f4cbba5246e3bddf88fb4dc8d730ca2798f6ec5a0d07c193ee013644e7e1e5b84a64746c5c0b5c7c37f7e6a24007e2c6ae0f738c2a6f83150838439

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2688319928adaea014c3f87ab7fe1005

SHA1
f8ff9ec78627849d39b6e77fb124c250ce1f2534

SHA256
b6a58b97ee456a54fd5242430fde6eb0dd12ccea8829fd86b493f95ce2751114

SHA512
a4272d20c21294263054eb495243defd36211230fb047456bfa69d730f63cef319a9b465c45d542dc8156dcb6b5ea49ce0ff9b334ca3ab4774831512d50461e7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6659e03f7869dbb051954c2c47889569

SHA1
d3d21268b6c465baffb262f011d83a0fb1960cd1

SHA256
533c42b118956916160dcda99f5f6b0ea844475db367455dd70ec3d008249051

SHA512
76215792e070944ef965248e5de6d5db345ae0699dad65ed57ba631e12311cfa7d59f4c3ccc49869cf35cb29f1f8caaacd55a4b78644860c75b64e83d50880fd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
946a82c78321cf977d24893102206f48

SHA1
69ba8906f450ce134a02c043fcb684e65e1d14b5

SHA256
28b3e43d446edc33748381b1033013f6b8c3b6f4e827053514f77efb9ff9b0ff

SHA512
30b45cb3cb81db0a6d1999b437818ce4731e7f67e4593574aba4822e7513b9fcc2560a527cf937ce7b888d3210acbef9d4d5bf937aeb3af4c925c60c2d965494

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5064fb3116efe0d33996678b5126dc18

SHA1
d67d2989eb7eb82cc2ee3eabd06ca067993cadc1

SHA256
7644f2599e9da4a0ec48317e5b36a548ef7b3e97c22aa8892f757c3419497a24

SHA512
b7d64ca051fddc888c7e7cc153bab760d95bb57e9e6e97f62fd357f14b5ed84b858aaff9fcf103797070c715710aea3c343510d7f99910aaed8e0abf299a8896

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d7806fc7b5f6ed779ea7019c84119327

SHA1
2d0620a827b9ed137192b94851614ee7ad7345a3

SHA256
b3bcbf41812e39e86918b03ba2ad05cbe8941b239244b0e9ab2df37241f0d4ed

SHA512
378367d6fbba703859cbcf9951800a30e6dd38811a443dd823218976b64e767e391e600698e6e6c603854c8127c7c32536b761dc7e1477a8240c57483990194d

Download Submit
memory/856-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1164-104-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1164-99-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1164-106-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1164-486-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1336-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1864-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1864-487-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1908-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1908-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1908-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1908-117-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1988-37-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1988-31-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1988-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1988-138-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2092-492-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2092-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2292-84-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2292-90-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2292-92-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2484-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2484-149-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2524-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2524-54-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2524-65-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2524-61-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2524-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2544-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2652-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2652-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3044-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3056-491-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3056-139-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3480-494-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3480-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3652-314-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3652-78-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3652-72-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3652-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3876-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3876-450-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-150-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4072-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4072-493-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4436-2-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4436-6-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4436-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4436-98-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4436-328-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4596-488-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4596-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4680-109-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4956-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4956-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download