fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
Size

648KB
MD5

eb80861d073075b007f227fe460791a3
SHA1

4e07883aaced100c8b211bfc0873bcee23257c65
SHA256

fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6
SHA512

68f721910f9f8dfaf97858dd6ff5410f4870c26849e1d7edb66eda507350b9c0131491358ad2a2c039c15b939731fa42dc42659d296dbf78ab60d1f352805e81
SSDEEP

12288:dqz2DWUiLD7bHVKMQ4O4vSjNsyMLpRNO2FLzTGT/SRel8lkEoiqAj:Qz2DW1X7bHsMQ4/O6yMLprOInyT/Swlo

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3292	alg.exe
3732	DiagnosticsHub.StandardCollector.Service.exe
2376	fxssvc.exe
4576	elevation_service.exe
4528	elevation_service.exe
4636	maintenanceservice.exe
1792	msdtc.exe
4180	OSE.EXE
3044	PerceptionSimulationService.exe
1952	perfhost.exe
5076	locator.exe
3432	SensorDataService.exe
1508	snmptrap.exe
3980	spectrum.exe
3336	ssh-agent.exe
1360	TieringEngineService.exe
4316	AgentService.exe
3684	vds.exe
3676	vssvc.exe
2384	wbengine.exe
5092	WmiApSrv.exe
2684	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\locator.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b8f0f2d289a4da0b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\System32\vds.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096c3745762cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ecd9b5662cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000832f9e5662cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b04d5f5762cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d857865662cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af8cc25862cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d54895862cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003ad9f5762cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a165bb5862cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3732	DiagnosticsHub.StandardCollector.Service.exe
3732	DiagnosticsHub.StandardCollector.Service.exe
3732	DiagnosticsHub.StandardCollector.Service.exe
3732	DiagnosticsHub.StandardCollector.Service.exe
3732	DiagnosticsHub.StandardCollector.Service.exe
3732	DiagnosticsHub.StandardCollector.Service.exe
3732	DiagnosticsHub.StandardCollector.Service.exe
4576	elevation_service.exe
4576	elevation_service.exe
4576	elevation_service.exe
4576	elevation_service.exe
4576	elevation_service.exe
4576	elevation_service.exe
4576	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5100	fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
Token: SeAuditPrivilege	2376	fxssvc.exe
Token: SeRestorePrivilege	1360	TieringEngineService.exe
Token: SeManageVolumePrivilege	1360	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4316	AgentService.exe
Token: SeBackupPrivilege	3676	vssvc.exe
Token: SeRestorePrivilege	3676	vssvc.exe
Token: SeAuditPrivilege	3676	vssvc.exe
Token: SeBackupPrivilege	2384	wbengine.exe
Token: SeRestorePrivilege	2384	wbengine.exe
Token: SeSecurityPrivilege	2384	wbengine.exe
Token: 33	2684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2684	SearchIndexer.exe
Token: SeDebugPrivilege	3732	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4576	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1128	2684	SearchIndexer.exe	111
PID 2684 wrote to memory of 1128	2684	SearchIndexer.exe	111
PID 2684 wrote to memory of 232	2684	SearchIndexer.exe	112
PID 2684 wrote to memory of 232	2684	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe
"C:\Users\Admin\AppData\Local\Temp\fb7520d4591f6b48b5cbbc88fe31be90c6c83e56598b421a8e65c397d0265dd6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1900

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1792

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3432

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3856

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1128
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
77e2a494056867e873b53ef6830d60f8

SHA1
309e1d92e27b43c7bb015c93cbf0116f0616320a

SHA256
d8ecb177ab5c82e8fd77ac72c16eca10c828cd0d3cfae5914bacc5aba9349c6f

SHA512
b724725cb98677a6299e95f69589c38563b05f9a515f9e6d46f8275727198813f469bd765873ce15f74f2deca58349df75013f182e87fe389d476aebedd5064f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bce71a982c0b7929c81922e61ffe26be

SHA1
7e228ce2555c89a1f6b250c428ef4f117fe2066f

SHA256
f1682a406f973f80be1cc6545db414b9504e5d9c14178fb7dc8724f85d2c5933

SHA512
b23a03dc54cecd08e6fca507c523f8241e95b6a4eebe4d0c8c32683510344d4734fba441d486410104f88f25b622c5b9e37b6af30f5b839c3d54f4bdb3e90463

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2402290e4ec31d0b0d62eb5d9fc423d8

SHA1
a9baff30788339e8ede751f019d3cc95834e0b31

SHA256
498b73abc6748ab1d92c8e12af400373fbf912181e61de4a8358a37abd72c522

SHA512
9b760f44f493afa8158b1039a58fbfb1acb672a8b280fc47215b7a56976078782c53b3eb71dede9dead07c463cc5837a89a0f91946c4c2965338d37a3b506924

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
55fabbb7153a84e51ee604879382ffdc

SHA1
d97b248685009f56604658138917416faaa1b26b

SHA256
282684b2f4cd5ceea1732c135cafb69b7197e2feb670ba0c938b1ac7806ad572

SHA512
5f88ab0974f495fc2f425d0f312bc4571ee20242df06f8f730aa6706fb12cf28d3c7655a57def18564bde036f5e0202bacd6afdb4caf6dee6732866353e53f3f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ce12910dd0038659e0581cf189fd4dea

SHA1
e1390329a17922c753bf1ec869253a8e14cf47fe

SHA256
0d1e25343385bcacdcd2dd0bc66586d7845c9578a2589cb5ceedced484a07653

SHA512
c6b8a57ebab5e3fa527eb740342d5b10034bd8de24374e21bdae4137872a912dd2bf66ccecd2549847c209bf31f1e24bb4411b94006673c2efaa1fb8f5c8c330

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2f18acd390b358dc45ff5578cdde2c98

SHA1
8e9e07ec315c31f6ba2ef7e34e92bc8f3de76392

SHA256
eb0ae30d6929450a8e860440740323f4163feb098794d977450c7924f70d7c55

SHA512
f32646390f504e2d1ead435bded689efa85123db77b2bb5a0a15c3093ce7fa36296ac3636c1775de50ad3d624147fb06068d569a626cb9d372fdd62288b492ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d351625f536c8e59026610b6100e6e33

SHA1
ba01ff357051077f8c1b3cb96183bcf9f676f7d0

SHA256
e3b39b38ffff679a3ac47e992078812c1ed6407bacf15991224cb8cf26ca51de

SHA512
36ab37fbd9f0b795fcb193b93c9c43d79af77f4fe06206ab9146264d769a254007d2987dc3bb63a06c389cc5c05c4f77da8fdb4e0c607d1865549aa72fbdbae9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
db6b8cae88e00f9f05cef4d4514417b9

SHA1
53e1192c8e0602495aacd666421bc60aa7e7403d

SHA256
65dfbaba13ee22de5e66c3d401096cf6453394d530b79bfe0929f5d2a2309a73

SHA512
7f4756d1fd666a6a6dc4902325096732c66674b212d5c647f07ea1cadac616bd3a3bade98648fd4443f46be371c68cc1ae60f9ffc9ac3e377c3a36cb78ddb3a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c2ec74b1ea8b1ed2947202063a8457f5

SHA1
bbff120c5d350957c413c216af1b67d53eb48663

SHA256
745be16ff87bf4f3ec9d87d621aea9a6e80b6abc734ef6fc0f3d3bd12296c2ff

SHA512
854a70466bb1b62c2e065bad842705278ff49779c635060375cefe32ec7f710ba6765cfe5d9129cb041dee013f86303c903b15ba43177d95f4b7823b8fc25f6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a022142ede0b99cd4558d9c169cf8d1c

SHA1
74bfa853f52b6fad2babac5d0eac7ca6fa8cb4f4

SHA256
15973bd488cba2566db4c23a50aec2e5aaa860df4ff2bb4bd2ac4b6e5e9a6f6f

SHA512
9967228522e482994fbe291c096838aae39aa8799e4aa08f4377b53839928a63feb9b6ee24a5b36a44bd436ea3d3fe9d7da02b895a279ed78c45e85acd184dbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ef9c0c7dc58a47358ab20f125e477605

SHA1
f575d021d7e498a358f100a3ac63d09e128fe4ba

SHA256
9e1656a2999a8fc193c4a452b5d34cfceb8d63d990384c7a1acadcedd5c412d5

SHA512
57ae4d0805f584aef7acdd86deff764bdd545547a1e6cb8af9ac0f8ec47c37d2aa41b43870120300a7594e7f177fb2571b840424fb8fc50bc7cf9d30628bb4bb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c4b89021544735726476213d6ef8a256

SHA1
02163a0619195cab00def0556657e88a65babed8

SHA256
b36ef9f81bde6aed74bfd894a1a77eac5de338dfd9a06230df22002cd67652bd

SHA512
7ac12fd50e527a219c5fbe895b58170c81b89115f295e86a3af0b1bf62bdc16ce519e7bb2b462d7e3d0c6aa5e8c87e3c9c4bf798125731fbfa1894e4c4812e47

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7b8e99c0ef0b0ca868d3ed3373295c28

SHA1
1538dd07066807211775c46140123c19e3731715

SHA256
20f71186471702e4050e825c25cca8474006f39a4cd64cb0189e2d29af5aed3b

SHA512
b065b3bbd7321c61e46db9a7e5ae3e4b89dcd30fc52106a0078c12790f91008c793ed1d9f0c54b65bd00d915d5f2fce628e877e7142f2141a46ba29db44e3bcd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
93f70b02ecffed2b3dba743e29209ff1

SHA1
5e9d5f5eec4f1b5e2a07258ceb7cc217f83d0f1e

SHA256
af4408f65192e25da1f2ca0276c2200e9dd53825f01af2e91999fd572d70d3fb

SHA512
36988c6f5e47aea80749db6fe5547c98c57d5faca03a4423f1767d2fa4f9fa17a9a7e67d3dfe526f47c5b241cdcee3af991545573d24ebe87b4c05a7e6a38e2c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c3ad0d664672e78f36843c97a34faa47

SHA1
e5f576bf31fd7f8e9494a46c8f3193cb8b079d88

SHA256
69c7b934cf756d4f87cc69027e8cfe4413f4f6284a4540ce3f18507f69bc77cc

SHA512
b00f3c165d1e921754c1a039de7790eaf0a4fcb0e1f1df1453e7ef1e152856d55b8569393d736015d998a7d3527e419ce26e59fa5264cf45ae2fedad48e3d75d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e4c264336dfc5bead65b1f55e8c21230

SHA1
c7d5b1012d58eca32c41e2da5a840abcd6745a4a

SHA256
842bf88a317aca01317b6c2ee2a99a52771230d72280743cb028bef3b7c6f024

SHA512
9b2d16382e94d063a808fc279befaec6fed65c4004d84f81d556460de8ba733a35c471122be6a68f51d58ea1522872e4aeef6037643149af6f88ae2391869cfb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
45d2542c37282a32db8341e545307f30

SHA1
8ef634c8b51ea9b4a6e580e40acd495163f32f44

SHA256
0d2c33ab9f7d7d65726b916bfd504c2ac8274726dd1194edd2a20c14885b5c7b

SHA512
67759a165ea88485bc6fe5fa7db85fa473e4c41b1250e322a380255adb8b9374651ebd3d5f3cfe786fddf31415b7d5be8a7a41c73d5bf01c327b7b075df28ff5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
785928cf42b2b8cce5fa5b22a9457520

SHA1
9b9552f96857383a039d86096674071774c5c525

SHA256
b6778458bb4d994ec858c857e8073d0ae747cafcff10c7ca4f353eb50b5008d4

SHA512
ab8e8bbedd86f83915acd8cbd2a8a9018deb510893ba1132dd3a0151c24ea5cbd693f5b4d2b00165320e9e5704a1826d6d1cfe39216ca9ac07f6c81d010d63b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4294ccf8cf9c6f2baf0f6c8ac1946c5a

SHA1
28f53d77be0175661aa53e2a36d009a575782b11

SHA256
48c5a6d20e8ff6b2e5bb61c8c162cb2be3c576af6a14594d2a13ee05b55ce75b

SHA512
29f40381d21a9dfe7ff962d28f2f7fb084be4ee7096f1d09537c55f5ccc8a57e914f7f58ec152570f3d535017d0d541d12d39d6a225617cd18c376b8ed3eba6c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8d1fea4c7dae1b06ceb641e221115217

SHA1
ab045afd6ed62f2e0761aee2924fa440d0d5c75f

SHA256
f06ea87c3f2da1c6a748fbf602f05997d7c1c3230c1c2389a1ef84aab894ed40

SHA512
50fb7864a94695f18422bd47640e71d0911af83ce001485700696f6b1ef0944156f932c5a4ea8642044a2b6da63755e3950ef5e2f4b6d995afd1a277c6c9e1eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c0aec3a27b728b2681f595544f3f4b43

SHA1
35e4469f511e36092f1dc474bf7410caf8e95bf9

SHA256
db3c7f62ec099fabac90343c524561e2c4d5e8de018ce8212dfaa94b030e6e6c

SHA512
3e33be8ebbc8588513e0ad7201dce5aa9076e7d684bb05fa459177da7b3a4643adc4ca8a05535e8fc6f84b72f57c92efdb41e2d0328f9077be2d21e4a0096004

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
291e6f26e206660c95415c0e677c53ec

SHA1
c1b478cc9c41e77d08ff0a4e315e239b453895e9

SHA256
b36a4de133e62c627588da155946f17b34934a5eba4df3b9efefce3667f393a4

SHA512
4c90247ba33d25ca5c3fe0e9272f51b9ba14b79a38c2e09f51f472169c245d0705989ed65ba3a7a4244d99d46850153a2584e0f122ba574f7d685b4a93f1c1c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9fae4ec521ac9d08d43be3dcd83f71ff

SHA1
b628e7320fdcdb6ef72a046d2cf02f578a0e3735

SHA256
34f190c095a21202358b4935c6ec525a702c6ef4689b1b9c98055b1cdbfdc6cb

SHA512
cc6a4513535d4cecaa01866253e69ccbae61666acce43a86d889dbb0c35659d1f6728b6d7c26422953dbe10f26208777c4a06a9816cdc799608d2ea6225508bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
58889162413a61831036b44a8fde2967

SHA1
452b788556207595e17d705434ce487a9579276c

SHA256
d818426b1ac5c2c0d89840e86f50d8e3d9e3f2d26bfe81d99d59f2e60e9d3b1b

SHA512
971f380ca081a1cd577e24c41d4cf589251126dcccf77c5324a9b003bb905ccb1d58187c6178e815b7cd80f7fb61fc67e1413d573618b4458507cadac7c1607c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
21b73f7ddda34c3c5164736fc2d09aad

SHA1
512dfa7c5eb9bf420e67584e17ec286870215437

SHA256
bf20054525ebd0034996ce17404b7a3c8275d147032780a61c7810e854a95625

SHA512
5dcfb021695ff3e10be000924db7ce03738e575a7c8ea6f33e42ab47e991e4158c3f07ff0024b3b285a475232716cc49b5e857a788f6425f7fcfc7498f85d89c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d0d291800786779e4417d8b1f8bd64c2

SHA1
e5c74be1128f7fe50133138e5223611d3dacc536

SHA256
e017c102024d38af89db9cf119aeec50b43370f395f407bd1af20e629ffa283f

SHA512
c4960fc7755fe636dc20de6d810eede9dc73e6326385aeb21e38157d4d1b17896326e738197a4693227e1b32c290bdd1a85e1fd19ef2a7d7a664568090a16f40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6233f66541a67a26a0e859dcfda449c9

SHA1
6d82c8bbf14f2960e7be6736f70cfacc89f4e368

SHA256
24e95d9452af6229da1f5e184311fb34670b8a9871f9d4b379035cc6f417203b

SHA512
60c860d57532a87ef3a2418ed87af283f610908d699137bb0bd0e553f828a908afe80deb0ab51cedea0a1a3e4cc11f4b2194e79509ade5f7c872e2ba3a6a0d71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3cf777db93316ed79627a7c2d07ac2be

SHA1
d78bdb72425be740828ce79e61231b46f9eafc9a

SHA256
e0f75d44a46587b29c2504b333f22e797cb6311dd87e46cb423831a3fe4e2b79

SHA512
617f4caa77a43c96b969237ffc6486ced3e9f17a5f9c2160bc67933a4069725000a64e10fa176da11c5adcd56ea80c8e92142d5e6d509b7bf51a12420100d253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a375804263a0427db1b34cf0390bb20e

SHA1
454329411f548fefa9a11c6bdbc950aa93596fdd

SHA256
1bd0d7602e338ef47f1c0a88b42bed45b795b60ea0114f64887ed59647bb1c68

SHA512
372e69420d598cbfa3d0055e26b6bcf26284bb6046bd76b663f604e1afd735ab83978ecb95662c5522f2b489fd5f09b8d6e82142469460fc804ca63f229bb41a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d00488d35da3dccb037f7ea7bf6bd865

SHA1
669c285c171295db3f6e108937d85eafac620d3b

SHA256
15750fb319a45b9dd806093a5594dbc0510ab2da2888013f14977c348840cb06

SHA512
2922ed82924f136f4138bd9a23274adf8b7db32a4feb35c22ebd0cc5a2bae678d2ee37270942ed6bce31b9603c074604a1ee8643493a8b20e7f6e7dff0d60090

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6479950faa47b9e9867f11726b6b693d

SHA1
dffccadd6fd17755315130b29af4d77350387793

SHA256
171ea8ea5ff094f3b28fe31d57bc2e181f5fe0c42acf282e378d66779e7e6320

SHA512
6176e3536b6fbcb65f7c93716296d9d84edb3bb90b6ec68aceb867e96b551e5910fa8af52b50f00dbc5d89bc849f22372bffcacfdab2e3d64004fea58022e3fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
714e699ea728a77ec3d3b1d333db967b

SHA1
480e1323877e672a34b8122866684d8788f35e41

SHA256
c4506ec3e29b9b6cc241979983dc863fcc22d9f37c1239afc4b658499ef54d79

SHA512
522edf8f757b0fc36135f9b23b0bbe9861777ab45c92dd4aade2a079cae8db3b01e4329b519e6d16ccd5e71fc27179e6ffe551f5b9de7873b632f0d1ed37493d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fac725a402ae5ed23edf753e8d320de6

SHA1
dc3dbbb90c8da4e46de60ffced2f746413dc0619

SHA256
dc1818a7d3c88ca0cbd0c23fd64c120d018f5a4c3fd6674f3472aca6eaab6b8c

SHA512
55e3fe42d4b1b25d3ff48bb30e24892a5843855e3bf1acb0457379b1da4de17ff522bf7a0d499d9e5732a996e3c7b47138e2d577b5ddad747d183c5c1e2d6224

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
38878c53989f2583e05de4a8d258cae3

SHA1
493be93637bf3ddee2b5264bc985a003f31495d6

SHA256
e79649a20cb24399ac2b0dca4f4dc97045b19dfa479181840301aae73dadaeb7

SHA512
6786643df2092ceec48158e1f66aa2225b9d63a414ff49a1ad3363ceb530b89c5be19296b5a04d8a825446e7039241d55217973a593fbf69dc416d4e903577d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bca0bee5b3183ecea531ac99fa4bf823

SHA1
1a205877cca1bb80a086b84c7453c26317361a35

SHA256
42213aa960dff4fc57d0a63cdad30c635b521d1eb2e2f76491f5d0017cce0152

SHA512
7daf0b9fe54e179227704865b7493f8a8a61796e892ef60ed70433128e20e135d7e433dbaf69af6ab5639024df212ebf449c626954338bc8c00171713ad97a5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
15ca2c2049323d597ad5994a58e17264

SHA1
7717415854d457dc778842b458e8e42cc7059c79

SHA256
70761fe1d36ecbb3ab7d916f32ec74725cd44cf0a031ab26fdabfb365dd7ee85

SHA512
0af540b98324dec1f91bab9d005815af4af384def1a58653cb024d31d8435656a65cbc991106d37ec5c63971b69d47568a9b1d15ef1ca90889a023369bf8cc02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d83a5c9cb1373277e23a43a882cbda05

SHA1
cf76c3ccf57a3715f51a33d4ca9bdae999b54763

SHA256
9ed0a23a02e3a242f5a566472986bc479433d04bfe706e32410eb2d8d6b5eddc

SHA512
52feec475a2127ef4197f865ea894e101c6aeb63e1a336e84fd2639045ad88c66ad787754a97a72e789e295ba8a2cffcaf003cd284cd7b59aaa93dcb544e7f81

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
44baab941d65532e708732bb748e3692

SHA1
cd315a32ce7606159eeb4392ee006e9eaad12626

SHA256
1a0771ec30fe9487f5560d768b2deb1ac3ad8cb9dc582078c438b2b01a47bb42

SHA512
88f9f28f506544066d456f6443cb38968d5f56d97995bbb71574ec1ec73190ebc85baa8e0ba8ee00d9b3391b9974c20537a2f27c12c0fb4f7f9e761e371e9e1a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
43767f7c1a45331a63c1b7d4f5b0e249

SHA1
798c5bfa3c3ae3b6fa4dc924de94ce6914b36cb9

SHA256
dbcf6dfc315c78548d41ddb2c0f53ef1fb2fd214878f20196e076e83938edd90

SHA512
c7d6b66add58b4e559a1f16ad5c142817a810a5338d52362b62cb91994d9d65b3ea6e381a604aab58e4e61e693d39f095331dd8d80972db4d60efdae27d53851

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c085d786eadf8c2bd4f375249bdeed84

SHA1
b99963dba908feac692e77aadeb83711b205276f

SHA256
81ec6f763770825e79ab36ede031a324640995ccff8d98fbe8efe117016f7887

SHA512
b347f417d38b37a40f9e2db5351ddf32ee4dcfa3985243127d3ab5c1039056cae0453ac30d8f3737a25980b122ff6c654486cca003f797f315b50d537b62563a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
40b711b371b5562d7250555e5ca1c4f2

SHA1
9baabdcda21f1374e07040386c210969c60e679a

SHA256
8a3544ab5d4677dbdb66709d50ddaf156133bcfbf74d446fb8041fcea597291b

SHA512
b8dac5e2d7a942d22e1644c85191b435b025267907a7379e2027f2d159bf2f68d5785c419055febb148f9207dc7fa57fd28802196b46e4e10169eb722bff13ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8b26d6632ce84210bff1324357d3b0c8

SHA1
b6605b02e173599a365d8b72e5287b91862ddd4a

SHA256
5b09a1687b0e2ff88b13b931b13c03505a88eb28c86d6b190ebc8bda276b50e2

SHA512
c93710903bf82e53c2b73480816427bd5d1c2bf4040fc193c5600ecf161c96a20a2896192319ccc9e87d1769a3bc7d772109592797d67ea229702efff079b791

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b8b6956ac7dfc05f6604d3ffe5f761f3

SHA1
0e867fa5ad383b1ccad8db1eb93bca9ee3a084a9

SHA256
0ab6df8c557bf74d24a79c8cbe6990a5f03d7dc4a5ddeee1c9514cc940205660

SHA512
8e535f3229cbd6cacf9df65652975506f2ab7689f4609840a20a2e6caa8dcaf2486b25239da882f91821825bd7c73db1eab4da50002c29ec6c3a372e7b02e077

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e9de611109ae501ce1f5aacb2fd02955

SHA1
c0bfd7c581e248d1c264b9de9d0dc982977ae1f5

SHA256
3fd8890d2df21d47e6d26c33d5ce6906e54716d3e394ad5543926b210e0dc75b

SHA512
30bdb84637929b15f1b2d6a1d0b58cb16dca4d9aa6aba2c28bb094fb96f418388c3a8355bcc3076c629c12a2a256de0c2359ce53a4d6f96ed0f61e05a47b335d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a148102572aba0802697f69a2d01c93e

SHA1
b8f6527756009c23112e3ac1d1f538307c37b1f8

SHA256
c35b37c53b2555e7bab650fdedb4d894087a3f99a43de37e7ac4e43153ea94bb

SHA512
34eb14960fabfe793cc7eca7fc6feb5fdb88f1dc3cd77248ecf1871b5bf49a661fb515ef7ad5c81a2a5e6502b0f243af05ad3d2284233502f0c5f214b8b7cf3a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6812c02e8dc6e49b0e8d6c7fc9564e5b

SHA1
36f8bd5a9da3dfb8a73aafb9b323b57bafd090fb

SHA256
6f813a8c2fbc1ea622639dc1ead12567d45d7641404e13df245face282ac16dd

SHA512
8a75e464fb2489cf46f19fa1fb28113791a2197d1d6fc96e5503280a56d66ce73d79700536365f2698e032a6c23470828cc47813ef3e40005582c8f4313deaf2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
53be14ba94c44bfa2965df00d60f1805

SHA1
1f4390825450e30803b1fb8746d025de21fba8ba

SHA256
fb6a0d9b2b1ed884ed8d05bfda2fd6305004dfc9defddd6e57c05be207848804

SHA512
a646e86416fc900411be4ab27b3ab670d73ab3e943feb0a20366a3872d88bc9f40694000d54c38fbc431e3f57233b3eb857ef798a5020ff145d7616dfc2efef9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b8947f8cf367cad521d53e354ce2d2d9

SHA1
1a443ae7e43b3acd7ac95f61f1d040a0252caaf2

SHA256
deea141f42c3ca9d121948d7ede203f8ec26b0982dce1c8211f62ade30d693f0

SHA512
f2708f40d072bf7998181d8994ebe44792087528d06d48d147d45b36092214727d87ed9ea1b69ef69ccc6d3a656b910f3cd0e16439975dda40497cae60f4b340

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6ca1b691d19c1d4e094567861b94fe61

SHA1
c1db8f9604ca0d24a4d2b1c0a9ab81e42e9cdb46

SHA256
a38861412fbf7c451fc7470fd08306a6e76da5cf768f3c10c94e8bb90391f2ec

SHA512
85ed71b3916d506201763e6921a16eca464c42e72f9f1472035645f013c4fb44e5b49abd9ff91ab583861423cd07d6d257a052ee6160b69f1b4f83765e018d2a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f7c70a1b51b140e2a34d2d5938059500

SHA1
17c28e9e2deb6cb896f1fa9c58b661ca8d6eea01

SHA256
2d2b119d17122d09208a88af0384c518423f7d579ffb66f86577b48e0a451f24

SHA512
449afc7a4437ca95b047f8856f3bffb67c0650dcc96897d21b6e107ddab27ad9d48557e2b543d68e9de40245eba64f12044668ce8ad05c68b1abd8991d4dce61

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
43a49b01eddc399f73c55e5a00f188c6

SHA1
606c14c4b6689081a56977d82c4689708563751e

SHA256
8c2f4fe06c6d9ce734af8e604b59dd5fe0773d10d985c60df35704db8a56e076

SHA512
d319bd824170ae2e93fdbab41ede7704bfe996f76a05bdaf5884b7c5884c533303399fb5cc323e8b5d3a15b3251a6973281103afeab01469260195fcf0dcb82e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
75fc6398818059ab8cbb14d26140050a

SHA1
e744035831b42f44b92c37a60b3b3634b09d6353

SHA256
3c58ed2fdd13b8d91a570bb4867d8196ea8502528a382303196ca6fd7c858731

SHA512
e8f64a84b364d24f0687e72b9528b197618e6aae7f076036e8485cf70cfd0a0407bbe6e1fca2d78048cbf7f0c7796a0dbb8f85248c7833a9367bad0f8fb04e81

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
17061c8bdc9295f23629243da05c4d26

SHA1
51bd60c24138bb72e5d3e52564f1350637a50e6e

SHA256
b5ab3b92347c4c4a8908dc78b0229c42b5cef78d3380c453771bc5e6dcaca688

SHA512
cf302ac46590433827bfbf725c732f39890fcdbeeff986caacb5fc7b7f22e217ed846c00a5c45ebd9fdd5b4b75e35d440eec6b9ebaf641c1492625449068e64d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a0fa5ecc08323abc7557f292bb745d61

SHA1
db76cfb3560f475c1259b738c85c54a446106a94

SHA256
2da0ed38bf058e685a1de35943d46130a5e8718e05733cbaa333e16c5fbcbddb

SHA512
0356c6e9f035a8e65958fbc8bdb8550ea08100deb4c6c7a381ced0b60a62b4aa543bb509523c5b800967cf1dc02f3ab0039d601140aaa5ae7c5ce879bfeb9334

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
440e27dd3af5761952e1be74a9e5fdc7

SHA1
47ec71d12fcec38d14c1627a7c95c459496c1c1d

SHA256
066e2fa5ed00d35dab23f8607358ed1e7861c7be472d05d75006f832c7c809e2

SHA512
ab2d2facd299dd223c9231f3bbde44d5847e5ed51adab873c371a1513a2f5efbc0af54ebd64933f44c2f9d7a0b831ae20fbc7c48ae5c678b0d8a459907952da1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f447a29dd6a31ec9318462022f7cc869

SHA1
0025483911a9ac3c5b6c035f5c96feee0ae4c565

SHA256
9620432c1cb853dea44dcaa6156913c5fdd7a4d2f3621ca843c1b3fd685efa47

SHA512
feac1ffa075190ad6b40b02b107fa8280565f7c30ccac1c3322507061812911b30f032f9dca541f58d698278de88ba4e237e3f8046c4f949e8f2534300fce7d4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
50e77d99a9a28256f94a202bc02f4a76

SHA1
9a5019dbcd13a72e2201eaacc2d1200e63d369b3

SHA256
233b6e4bc20811433866bdaed581ccdd3064974cc4e47b8895c62cccd7e3b556

SHA512
91d90cd093f821bfd8028e20a1104b2aab5d4a73851b1409af1304acc8657984ba023c1f5ac9eac1729690e40c357337390da651f9c55ec6c3b2a0d1b33cf5ff

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e4aa134d74d6461bfab8f2ce291b19bc

SHA1
9abe5cee6d24cf5c50ffb252c8521b55a75e6d4b

SHA256
8c7ac382b088b347bbe78224c3adc5a07f04c50c11188319e39433f84cc16387

SHA512
72217cb738e63c18084509274f2fc5bd120cd30cbc17e85e18000f6d735857c90134675db543de0f81d444f6cc034ec32f1c9fea31b63153e3332652b62d56eb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
03474d0655561f70d66a538b088d7659

SHA1
99980a5fe35addc4ad17bbdc3b1e6a5772f7a057

SHA256
f5d3db063a3e88dae2a6e98b2fe98618c48e2d550b5f69d82bfb42ea8153913b

SHA512
fb2fa77dd909ad6e914bcca733a568029be2b22ebb060500afae1f5471ec733f75bdc64525aa3cdb0e4e0f2139226033aeabf8e565cc83f43bd3d0d6c75fe58a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a845710639ca97ce595d4595ddaed3c5

SHA1
c4c4d745dcfe6ddb77c7aa2541a193f2adda2e12

SHA256
2c7c277cd75595f75be91a9aaabdd80684c2a89ce0049a76f7823e697cb6e646

SHA512
e6f6598cbd97d75660ea28057a07a50f90b8f4e1580a671a87c6700dfbbfb1982b9fd7d716e0e9f5956abbe5f59238778259059d899913934b3d0e235858b019

Download Submit
memory/1360-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1360-148-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1508-345-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1508-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1792-74-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1952-102-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1952-163-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1952-108-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1952-103-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2376-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2376-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2384-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2384-452-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2684-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2684-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3044-97-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3044-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3044-91-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3044-90-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3292-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3292-101-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3336-446-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3336-137-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3432-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3432-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3432-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3676-449-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3676-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3684-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3684-448-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3732-112-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3732-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3732-18-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3732-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3980-441-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3980-124-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4180-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4180-86-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4180-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4180-80-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4316-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4316-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4528-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4576-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4576-40-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4576-42-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4576-34-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4636-56-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4636-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4636-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4636-68-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4636-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5076-167-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5076-113-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5092-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5092-453-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5100-365-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/5100-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/5100-71-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/5100-369-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/5100-0-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/5100-9-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download