0f409a09667514eb543e482557f958b50d9a467dcaba6ebb0e1f1c0e681bc404

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11e70c59e5542249b2d4a49b27d25650N.exe
Size

1.9MB
MD5

11e70c59e5542249b2d4a49b27d25650
SHA1

628d53fcff71f7da29f00d549beb28634fded4a7
SHA256

0f409a09667514eb543e482557f958b50d9a467dcaba6ebb0e1f1c0e681bc404
SHA512

2d47bb81065b0532f41920426b7d42484a60bea3c8e493df2ac929dc091dea6bbf12b2dac01300620bc13d31b3f72f9756123373ccd7edffd56c7a2f4d7ae063
SSDEEP

49152:f4hxw9+ApwXk1QE1RzsEQPaxHNG+pWAV7QqejX:fl93wXmoKlWAV7v

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5012	alg.exe
4928	DiagnosticsHub.StandardCollector.Service.exe
3580	fxssvc.exe
3468	elevation_service.exe
3276	elevation_service.exe
2944	maintenanceservice.exe
2044	msdtc.exe
748	OSE.EXE
2928	PerceptionSimulationService.exe
1424	perfhost.exe
1256	locator.exe
2664	SensorDataService.exe
1648	snmptrap.exe
2176	spectrum.exe
4648	ssh-agent.exe
4832	TieringEngineService.exe
4008	AgentService.exe
536	vds.exe
2348	vssvc.exe
696	wbengine.exe
3944	WmiApSrv.exe
4524	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f35fb8d8c979ad35.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\System32\vds.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	11e70c59e5542249b2d4a49b27d25650N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	11e70c59e5542249b2d4a49b27d25650N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab6a9309b3d4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000325a09b3d4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f52fc09b3d4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fc2c808b3d4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000851f4709b3d4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c71aa409b3d4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064d2bf0ab3d4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4508	11e70c59e5542249b2d4a49b27d25650N.exe
4928	DiagnosticsHub.StandardCollector.Service.exe
4928	DiagnosticsHub.StandardCollector.Service.exe
4928	DiagnosticsHub.StandardCollector.Service.exe
4928	DiagnosticsHub.StandardCollector.Service.exe
4928	DiagnosticsHub.StandardCollector.Service.exe
4928	DiagnosticsHub.StandardCollector.Service.exe
4928	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4508	11e70c59e5542249b2d4a49b27d25650N.exe
Token: SeAuditPrivilege	3580	fxssvc.exe
Token: SeRestorePrivilege	4832	TieringEngineService.exe
Token: SeManageVolumePrivilege	4832	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4008	AgentService.exe
Token: SeBackupPrivilege	696	wbengine.exe
Token: SeRestorePrivilege	696	wbengine.exe
Token: SeSecurityPrivilege	696	wbengine.exe
Token: 33	4524	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeDebugPrivilege	4508	11e70c59e5542249b2d4a49b27d25650N.exe
Token: SeDebugPrivilege	4508	11e70c59e5542249b2d4a49b27d25650N.exe
Token: SeDebugPrivilege	4508	11e70c59e5542249b2d4a49b27d25650N.exe
Token: SeDebugPrivilege	4508	11e70c59e5542249b2d4a49b27d25650N.exe
Token: SeDebugPrivilege	4508	11e70c59e5542249b2d4a49b27d25650N.exe
Token: SeDebugPrivilege	4928	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4584	4524	SearchIndexer.exe	112
PID 4524 wrote to memory of 4584	4524	SearchIndexer.exe	112
PID 4524 wrote to memory of 1744	4524	SearchIndexer.exe	113
PID 4524 wrote to memory of 1744	4524	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\11e70c59e5542249b2d4a49b27d25650N.exe
"C:\Users\Admin\AppData\Local\Temp\11e70c59e5542249b2d4a49b27d25650N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:748

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2176

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3344

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4584
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
de0335cc8947e5dff796df96815f8b15

SHA1
88b84cfd624ddade520b5ac60b9c20607061f4d2

SHA256
7d01cbf21eba90ff437cc8089f6eb8ede22ca22841dab43eaeac9214fe463273

SHA512
12ed661b879599127ef523607d0068a12090bd3c47e17facde0b6ddfd1b99d40eb7d94bad533b05aac9921072835f92c0b7ed7bd3ae2536adbd1e6f64164eb21

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
a64aeb18dd5ffd0e05c75ebf2aedf1e5

SHA1
5e54c717cf07a568ed6400272bd4e3d19c225aab

SHA256
d34fa43343c5225dfe52188e38386c07f6646ed3ff8afdccc463513804d9eeb1

SHA512
1ad4560c3427860b89282f8973cd386855670559a1aa5b47b47174b5067fc63ab33b487f30ea0a7ce9ad64325c24aba18d63e025e5796f728ba3b9c4d9490abd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
58b8b29e6155fdd26f229f4c5d9e96fa

SHA1
7c8f3d60a195c99efcd9c3902eee6bfdf7c8bfae

SHA256
4306b2695d9dceb8f92e3f0329bcf8d3f37d3998a2b5b54e1eb0252dfd59a68e

SHA512
5ae8c10ed6222aa94105fa0d17aec99485df35697e4ece707bf39cfbadd144eaa25ebd621d8b0c9067d54a0137699a01029f96c2ae35cafe60a9184bd9973cee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
59bdb0477f6ce778fd9e385b50e09967

SHA1
eea150aec2611884b65fd3b048639c090a972635

SHA256
7f5c17f22e7006ff5c693cc62b1c147532656d3dc4d28bfbb42a185eb82f72b6

SHA512
c42ba900863dda2609196732609a4f57584a32e1e9a7379b41b7705075829ac532fbadf5a63c39c328df6aa45a51fb27fdab83b258b86c21bdec28d0099e4e1f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4a4662e91861782eea52dc68a309a8fb

SHA1
9f38ed5bf0f16c7acc9066553e21c867f158f131

SHA256
134e03aa0c1832da6dfe088ae8d7f2895e0a152c52c6df633ee5bf852d45b99d

SHA512
fef67248d5562663d69f71b2a4e88c558b924571ecc3cdce2ab95b7a23b5e76f0276838d99064f1a3fcf21165c30b654624beb032aafdc1ea8e1f21b84ff7cd1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
38bb983e989502d320cc5687f4f15ea0

SHA1
538a33fdabf4fed053d27ea9744a34fd1d1b321c

SHA256
731691df36f24df1825686d6097c41614d963fd0531135984cb213d3f0ee648f

SHA512
fd635c0b59e27101b4e05c574e0dfb6e2663a398ab7cf77b49947ce727e34c77b892cc4cefb56321fc8efaab79781d3887b2207ecfa8847278ed55d4fb887be1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
432a59093e7fbee6f1e7e4074a83bc76

SHA1
ee20674934c36f30f5823de7e45ff02d406d61fd

SHA256
18cb17e62d7366da89e8cbf75d725fe1c09cb0eea0ad999c8274afe9b3a49c98

SHA512
d5fbbdb968f122d4968c18e1ef4e14e0ad3d365b4380bcf5be87c8008ef5272fd0ea39cb61a44a62a9cec4ee2c3642ac5da82f8bf82d0f5f87956c5bbaec63f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cdc94a8d195fe11081167c0ca84576b7

SHA1
c2f0789a7f7617db19e70405d9eb76435f86dc1b

SHA256
e1fe8589dc48ded163c061d40804e326c1c37b5123f6f605334c0bc218774e77

SHA512
6fe0e81c8a69c62364bfa4cb9d7ad2cd9b93e8cdd6fff70d05f9e66c1169d1d61d83c4d3fe4265771a2bbf176de1c5ee6ef88f595d3fadc2c914341240e96418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
861c29724200c3c81c168641eea91b64

SHA1
5290abf66b1d3cf9ede64f08aeb2f0c2e8d6cf34

SHA256
a93338fa71a208fc1746abd87e8acd38bfa093ab984f6e2152c9cfc27d0de7da

SHA512
bda6ad2d4b34c5117f1950867f8436a33c8bb41fbe3083f2919bbc6f39163a63ce0086ce7b3dcc4b5143a8efc4a407d952b4c838aa9e2a8086f120152319fdff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
86538f2337b06138e41d7f0b121bc3cf

SHA1
6102feaf6372c0b10f7808c58812c5d69a3847b4

SHA256
82d43d1b2141e3e4ca02f91ee4023ffcb81dd0d27f017ec3d149324361f65e91

SHA512
ca959f3817530c636987d85eaf4a0cad1a9e6be6b4eb04919346f91a266d3f17c49d18ccd8cda0bea11ea123db21ef9869d11749e5952ace547ad5a08c324ebb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2940032289c5e80dea48f798138f3e22

SHA1
bee953cfc0c432e1dc94720ee905cbd17a30245a

SHA256
b4d667e3778a448f96e1ea1e2738286fccfc1ae9b94d8b753b5a1f7c0f3f635e

SHA512
f9846ab80f461560140502bb822e777822c41be854d8f1cac4b1b55117465c94a81c773ed1e453e6f9fc84a43f14cc7a4b443a5cd25b731a7792b3da1c5f8dc6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
da8e691738bcf00931bb0c416926b3fa

SHA1
52f8fd457d6920531b2cd49ac2e25aab975776aa

SHA256
e903aae7f19c6e5ea421fa42ee7cb62e30f5f7b5cbbf44edb70bd59f8363a5b8

SHA512
7c92435cf99d36a0443bbaa8882bae68f9f7eb4e3c7628d0858e347b8c7f9b34da2fcc15000e7b5f452004b6fe50435ebd5037ab0f91f2fe7c844523ea4bf38c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
890bc1dbdb558d8cbae1f84ffd5d17c6

SHA1
8d3f7ebf932c0ddb5cf054b4b415aa300eb9bb8b

SHA256
3d5de0bccc2e3354069760f183878a501dcc1eb8c3c8d0830f194b31d50cf967

SHA512
02d7446a883b1fcdc968a84c1e2131f571ffc0af295604042cbb062c63dde5ead33f69b1be4779186c869b78366a00d31bafeacb9455214180c9373139e2a473

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b92e4faf54032eaaca37b2f92141f871

SHA1
df57cf73f9359c7c3b852b446415a45704fcbc28

SHA256
e779b98b5819a398641404d77d8f473b50d97528298bdf0913fe3137624de35d

SHA512
21aa1429a5ab563ec3822e8fde307059362d4ec7dd3d67aa4c82e84b9ea47fde20eef5feb4ebd43b42b3a787be7afb780458ad4dc1a7566b01efc6fe56c90d36

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
31980edea4822ee6c23c026b0a0c229f

SHA1
0c3e9872ee9af9eec650dc6b8d3cb75fcb2671e9

SHA256
67856cf59b586576f590f34115003644b634769e5f1c69cfaef0d7790715b73e

SHA512
8df34e732c26885a54bd5778f21d121b441caccf4ef1383f63cd8555193596263e4f28e699c407acd7812d789209989050dfe7630b21be87917208f42e5877db

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
8f57af7531311e03843488c6a58c8e48

SHA1
4dcbb2b38f85c790e3176338c2550586877bb09a

SHA256
38e9334fd5a28537f44025012a56b8ea074aa6a9003140c29648c6ec72f8b011

SHA512
5a5d60ab9c20545d55ad8d0e31eb4f57932b5299d9062ca17a2c692780d9d2e7028a9fecfb9277196f6512deacfbbe619b626a7d306469b27875fdc4fba4b827

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3eaa03ab2dc5bf49a7d351a83fad103c

SHA1
89455e9fcb68b87d2686ec12359b189418f0b5d3

SHA256
3ceed22a003a1f258ece75fc89090998717dc264bf3f11c8917c3b41f64db1f5

SHA512
41cd2feccfeaf24b2c3f47499b361b0927764b2c86a258e03ce6fc1673ad96515c82ea534cc8a4496a2d6be8e9e9fae9affbf8b7e15249243fe9dfec3d1692cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
94ab9a69b3bd09d9dbe5ce117f8dd137

SHA1
fdb6e56089f7cd6c4f5eeab1a1e4cef5f087e117

SHA256
deb3de28d6e686ba78dbdd900dc2c475cd6eea363b2c2f0d9fae9a7206d9b00d

SHA512
3ef4e65d48a70bf40ac73a7faf56b34b42b2c44b81ee57dfaadb5e4d608f9d5b37c9a154b329130ef1db82844e330f2139fe6a75abafeafeee53494838f86f07

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
2a64f346f853525cc98b5f116ac40189

SHA1
8f56b33bbfcda317953e3c34e9fb543753f70424

SHA256
65af68b6af66ddb03fc5dc3bcd84f81c3072007460ed8a69d5e7038cbad20720

SHA512
fca585395d5df3bb43973850fc5a40603b53ea543ab85fa08dcf3ff3c352e8f0fcbc6ea379534b1c7fe31bb92c11257057271025cbd94cfe9f3f0adf35685c4d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
637ffe2449264fcca0ebfbaf21b75cb5

SHA1
80c57740d7c7b6571c0d7dabbe530b4f889948ca

SHA256
93f111dd0742e4d646ed421728ac227300125ae71f7557f8c33329675fe65241

SHA512
13dcf0576202d6c48caeb7dc40e5e18e2f64c89213e08bfbc013b50b0788e00e4c13ed274427161bfed839c57265813e12bc19247d0d013b71759e3e83127710

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
4be793a5a6dbbd5c73faa658ac372359

SHA1
002bb2a41b3dbf7c85cce8002f7b8b59bf9c2308

SHA256
760748463087f3959190fb6b3d75247d726399d39a009626cf50bc6975c496e8

SHA512
e28a451ace870d7863b99e9b3dde0c53d353622ff4101202c0f2783bf5e24d52bce00d2dd8153fedb64dca60ae2ba9d855a59d9d1dbb287068950067b51c0834

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f6c6717786cb558b5b53571720856db0

SHA1
08c91035bef8b671de281e7fa2512f864fe8adc6

SHA256
b8999967309bb62a89159952d58cfc707d6de479e9c067ecafb0a4f2e51c4b4b

SHA512
3962241d36ed527485deb600c1e256b9928b2b4f49c2db7073204eebb9c27dbbb732a650bdce6ae4f2e216e65b3293f5ee3ac44dfb2b85a35f1b91ecfdee5d14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0938b06a7717d94ced4dacb5bd19e3ce

SHA1
0a9d9c13824da00f0eec2ef4484b5c0057febf9f

SHA256
ccaf8e5a28ab0864ddbf5b09cb10372a50dc26b88e1c7f60f62136fe5c356c96

SHA512
19386a0b0eeafe1e01a12407d9b06fb5822b06c9b4acd1584b946ee35463abb10b8d925f4665c5aabe53d04760b3620d5c4e7b7f6d1f894568a4c9b8fbd17f3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6df98048a20cdb28c843ae6f909e3ef6

SHA1
b8e3e624c5cc6badbb33ebb5a0bebbfcabfcbf38

SHA256
553cf3e37f2658e938d824977267e29d466fb0ce987f2cda4f217f6eb2443ee5

SHA512
e84983ffa29b26a8aa2bb26232520da8915f30fca1a616ac78c11a0dc6a8759c779201e589bd7f25790c615c189680f630f8a9aa3c623975cdc99d1fda6802cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2821db5fe43ad31d9b54f2d91ee51af0

SHA1
cf541ce5295bb7258eb62dda9b7906a5f8449a22

SHA256
33161bd30cf3b45711b082d2c0cbe9d59bdadf610765c24d8c7a18d6c8b646a8

SHA512
26ed04026f45d622d966050bb0a4f121ea36da9f8feda56bb4ecfb60cf72fdbbef2e9c455f55cf72fa175c199d5cd162f1db7d45d638c98cd035842926ee58c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9efacadad37dc46453569d1f59a94b83

SHA1
f543373e2732ce4208ab2dcb96b12eb9b93f433c

SHA256
e4f7665d0fb4e3e39990672a7bf76ff0174349a568959a8381f3f8dd0e668d0c

SHA512
251c3291e5c59b3f51bd27e6e9578538beef839a10da16e213586727518573cd06d903539d4b4978f34b75940a7fa769e59628c34949e8ffe0aad9f4673bd401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d88ce65f2ed49a0945c0a87fc6339a0c

SHA1
3f4a9f8b68913e07476796592c49e2e6ee60e0dc

SHA256
b97dfcd3150e67d5471fb1f699889136f0bc5d4133e7e9ab78d5ee7c57002627

SHA512
79b56f331a2ce8036cfe8577198164d6b9d7558308f2d32c4c20a2cc77404aba071c287ada6be697db7bc08d9be4b5d04e185f1aa7ae1679a397f95f58fe539d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ab3f94637ced026b0fd2ec3f0657efc2

SHA1
9852c08bbab2ce5bb702a6622514272512bcbfa7

SHA256
ea8758d41fc2826252906ce5582904abac9610242dfc06af9913652be0f9669f

SHA512
2bdd4fc0496c05568b945d2cbdb3c8e6ea23337f380b52a1f8661725a14084dfeeb5f1f3885dbe910678f6931df13dce90ad96759749913ca639ae1fd0c2acbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
00b00b71518f257e6fe6dc6e6cd9ce49

SHA1
e1475539bce48f7ea1c963118442a32b5e397b23

SHA256
fcaef13c3b5d0ad6a1138cd89df4738e8a1a03a065ad345334d03910d2976843

SHA512
e8e711d8dca8531df2a964634608d9cff718d59aa65d64bb1fcdfc97221da25e401240a4a01f150c8d0e6f757d967be75db8b39df763414db05eda413d563cb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5eca2d9469096d412f8d07dbd73ceb7f

SHA1
16492a9420b7b92263d29adbe4ae079e3fc553cd

SHA256
5bbdee5fbf3871553acf351ba063f7b1458422efa2a08dc26fc993802eff2388

SHA512
4f8552596539217c777a08494deee24a1229de51b15e5ad44d676c8edce5059e07af909292d11c8e0c266e20229c725337bc8b2acb03c1906286f0599c2798dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8bab5f98fbd1d86ca0e75bc1626b18a4

SHA1
a23350272f41f04c05715c23f815c2965600a25f

SHA256
07fb94ddafabfd0d3f0f7f931823dc29d12a8df6dc1b90e2adb1ed2f7d528534

SHA512
f69a1bb1339505740d1c06d894f853ffbd290c8cd66e22055c1fb72d929c48317b898694db8b94398c7a77f1d270fafe12c0bd3482a5e0665ed55ea7d381bd2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
274d79db36bf85d4f04d490e87fad418

SHA1
a0018a4492d882ceac5e09650f24404783d0f802

SHA256
9030eeb8a1114b1338ef132d0e1b0ae814c78bac7678912d64295466e38da1df

SHA512
5bf69d9da622e2240de133c642cd1e877aac6e10f21d6bf40eda0e047990e0e13ac45bbcd4f34f0b5568127f45984b715da33ec488fae96a25dfb48afa32bd09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fdc73a98e5715fa82a1d50a1b7d3e171

SHA1
81f76b2b71f3f05a92e7ebcebc1fbc7e639b16a5

SHA256
ca78657c1f42f78200ddb82560751265eb118a95260abcb655423c6fbb0c7321

SHA512
2e4af79fa84f5d4de2d3ed722a3f03c367d571497845494cd4cebfb3bc0919b1ab243776c11c28de2c6ddbc2aa1f7605e2c28dc2c7b0107e97c03534e123623b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
dccf9332355a73a28729e83fa5bffd9e

SHA1
4cdd728307e1fabdb69e78bb0632208e61964c0e

SHA256
70243f34a01cc9668c4b6285971a5999e77f6ee17bb735cb5f67c8ecb0b52839

SHA512
2be7eb17ef3298cfce288bfed6b8f4a4b9f42511131a6384884aa7773958e6a308a0e4c5b0b60d035f7c0ac47b08de98160ed4e49daa0f1a9b424355469fb889

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3ac8d6fe96417968349b49a3ad6a6314

SHA1
22273763b53294e299e61ba0b0fa1ec38b7b17a2

SHA256
35a0d1b39e1615c3eb61f19a91bec598fcc72056b3078474d3b45052272cf8ec

SHA512
949947ca77f97b5b1497243ab530ce5966d260219e118133cc4a38553fe30e24cff60a644b5457849f2a85c060017b49b7fda5d190299a23fa4d375a86ba2b44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
2fac605bb9c17cc230093156aee3e5b1

SHA1
88ea1e20120506b7584ed6fe5905873dcf401d13

SHA256
9898c64f170ce1fcd38e77b190d2f371715d6d0897b14e9764d0e272ef532b6c

SHA512
2fa2240c76edeba63d55a63a112af9a7cae6221a4530d82d8ac5ea0d3461217b2d99ad8eeac0f9d450c20fef9602db02b67f7c92c29c21697ca79e42b1a8899d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7f639937886ce76bb4f4cc0055a33bc9

SHA1
5ea1e2e2cbd5ce79f79e1c015ba3344b7bbbe337

SHA256
ff7bca7881dfd9da3c7c54bf9a19c9439c4d97e01af7fe9e152e01186ddd26c7

SHA512
c031041395bdd5a0e086621c78b83f62ad5b81d804914c7fc6f35345826628540ede74c597968efce1410fea20285764c61427e0abfba223a00d317a5d0e069d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ca03ef2bfb53cbf26d69b4b78819e609

SHA1
c117972328f21bafef0942cba490213549ada79b

SHA256
388174bf45a545d7ec296197df1ec65b03ba7d4d94bbcd759610ae5273d1a753

SHA512
b86ba15a1cd5fb95a7f9b73f69c1e85fb30d061fb756c1f8d888c1d49f93d73194b373d4cb8aff20dd786c36c88331e74f1a9f1e093a07ac46f89d016bb73216

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ef0900487a14945901d146477f3d7bf4

SHA1
cb2baa8d2298854d872cf39386c87952f9d3ad16

SHA256
e3023fe6a45f22b872e2ed92fcbcd368ce8d8bde7784165829fb17f2d90fb28f

SHA512
3c3e1ca8f416684b0526ecc05ea14e92721d124cfda46162d912459766c0153f4d1f727fee5beba23f40abe49a99a3c32e59eacc7e9b388cda10924674f099d3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d3c2afa607c984709c41298459ccfdd3

SHA1
e485af7304a60784fd441ce84a0ede9c5d0c68a2

SHA256
26fbc14c8d0ca724f7c55d69a0441fead5e3ae8d8b65d4ac6105f771183e2115

SHA512
75eb5d9faebf199d1639f04c719cf720f36d0e60590e9fc970ada687a6176cc8c532ff85d3ee1a3c4a25bf5babf0d646f6a05870c565f210c566691e9d120fd9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dd4d8b2e080e9ed9064f32829764b756

SHA1
4f207deaa86b487799e3fae754060c277e585def

SHA256
7066ad46cef41f6deefd6f8f0524424a3fe143bde1b736f1036dff3b7ff419d0

SHA512
7704b5b7ad7d15bc6042e15dbbb5797d8da0fe11dca1d0f877bf39841dee2cce95926712069ddc7d4545695db981344c4479b11ac1c4c03d73ad49e61229f7c5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a7f3c5a4d3d825051bba02afb8bd0e28

SHA1
88b859b10a6f31dc4ece16139a8db216af212616

SHA256
232cf19c9448cd2f07c8bf3f2f1d525ab9fc88172d41857f4c17cdd31b8a6d7f

SHA512
109e3f994d61aeb2536ce74304803a23ffed9c627d67f4472d98e3c64e298f010c2d74a4197d6c5d7e53eab02e543f68895dd8aa92732e596f2f3c5337bd8cea

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0c667421d825e3030004c60e9ceebd07

SHA1
fd4eab065483669efbd602eb9d0cba5d0655d870

SHA256
c7eee24a45a6cf65de16f5fd1c529e9e91e220fc1c7e19dee8064a2dee77944d

SHA512
3f9562008b308dd99ca7becdd6d303eb48a040cbb04db23283008615544c7c58badd871c6e01304e7fbbe4d3e38cd4e7de345842e64760cf5cf84b3782a6433d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5bd7991946d614360c8a80bf1350f37c

SHA1
c6322a2fa934a73e28537735b6df13c41637a914

SHA256
9daafe1a187efae43b259e0bec1e6f90cced96496d7deb055105faf33dfbb108

SHA512
0dff882382536eceee9389995a51ab8cbedf5d70f3ca9912c6f917fdd83d23e5cc2fb7427af26491cd09c79e2f4a746f2758699acaf1c8670e5d6b83a64b2812

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cf341c3d9a63c286707a2cd6be76ce96

SHA1
c64bf601979e13e688004ac529c90c4b3b031712

SHA256
22157faa4f7b220cea87ce3382c11ea19316000c539b5005722d22105d36bf53

SHA512
6609512444b6c6cdc411f82ebd0b1ab5ede1d619437ef63b053742e12c818468939c7f80d29d663d4382bd3a5adfebd2e1c23206b3e1414862caaed5406d4cb5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
416a6570617db4d825f8efd6f1435aed

SHA1
467fbbbf54f8e5bcf65af208c962a3ab2476d233

SHA256
1df4f94ddb043103750e6bd6b6f4f4e26c220e8a8edb08eddce1cc191a050c86

SHA512
e2bcab60ac22a45978c31c138f82f7200784a388e76ca9b65dba9680cd18e683351a122dea7335c192c38a19c42013c4e24583063147e0e36480bc05cfdc8550

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e385dd6d98604a87d73dd1e94ac44440

SHA1
af9126617d5c237d500d04660c04157db10a73d9

SHA256
a17a78da94b36f5c06acafb094142f3b04e1cc9f532e264be40f4c221bfff673

SHA512
9931e713d803d662e47b84676960eda3dd817c19c9978ba5a9f1571b622109c93e4b5929b8982f18580dc47f0d047539a07e8c456357c0b044db7221bf919f20

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5d4c7fa2641ca44535b4c30c4de8087e

SHA1
36f2df1f57bd0c88fdd301cd8668b259ce7a3747

SHA256
1b383cbe9fef287bf4ef367d631c465e8ecceb3e62bf33ad32a3ddb7e7f05ac4

SHA512
e8a4aa95a4af8bf7c544feee786ad24f188490fb1c2444e219c907454e41eca92485ec6d94f0af951f7ee969dbeacf71e311ca0c0f4858f33b8f584b6f391f16

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cabf5efb442bfe260827e4166009c00b

SHA1
859217ae4525bbbb253578bf144839d167bcc47a

SHA256
e2069b01d900bf8f6fcc00272fee98849090567a74c960f4b8fc8e1aca9a30d9

SHA512
f33375bd29b649c2dd15e4588e3a0921dbfc168024361f0fcba8cad5ac81d90b5cd3ae04a399c0384e0b83238855131612522f7c968ea40897e6de7184259d78

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
87a3337d2365d5d3376290553a2d382c

SHA1
296572d25e645cb3382f5f7bad112f57eaefbd18

SHA256
18a34126d3006ab7338f5fee73bb0e61bab5bdb65c9cffc7b4c31a37e22d5014

SHA512
bf73f14bd76391ca4166a81bb8ee42d3a306f2fd2c2b3731a83b6567ed2e762b93a1fb5cad6af7f2aa17d1434345259589a2713bc62abac254cf87b1d70a5b72

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b94384c7d5bb6afae9f223aa80b805a3

SHA1
4648ab529bf184fd7ba8c5dffe31e92c26c98035

SHA256
605a20058cb333cb9d3b97fa5f8508e85b47f511c9c138bccb4a5c318185c661

SHA512
575ea9c2f3761518e18814571905775980027e826101ae926d066d58273f3d8e7618275536e330321b4979c638aca39595e93ee52585a5ce250629f8980fd534

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a7677de5a6f7445ffa0f0a9548983951

SHA1
de313ed65c90593258860f37ae0fe4452756c699

SHA256
18625ef514acf39a7710a706b34010497917f67f6b39e2b0ea20e03458cf85c1

SHA512
0d32a811ef9700d1055e50a219abf48a8b706feb14d96cf9e10b1dd83f1df622f49c655ac0fc2a1e4bbef25156797896d93b15877553892c60c4762ffd858536

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7b6b021cfae793f267882d2d2871a597

SHA1
b7e30c872d98e159732f48999a0288976fbe5372

SHA256
6df9d95b9f4e3f68c7001aa4974902dc978fc1672267d8ff82d33b116af73c3e

SHA512
50c786ec477f43fd294e1e3c32d2e0f244b58119970b27ee4d52a2139c2fd2c02426de1d616646698728b4889d6cda8ce52b185ec4a63065308e829f1ac1d230

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f6a47003e4d9eee4991214b7a6a407f3

SHA1
f39df11cebdb7b1f306dc9f853c1e0fe6a41d928

SHA256
0c12c28e945ab4eb168212f5f0bdd8522bc2b66f0f91845636e83c607a515c65

SHA512
cb184874e9fd3bd5f3a86a250aca1287032eef47994af0fb32140567c59e3ba73e82b8bfc857bbcaf40be7264d5034b2b3270418bdeba2109f327555d9df7801

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ed6eb999a6bbcb73499f4d7b9f2bb1b9

SHA1
e8d0e1b3f771aec36f3584347c785fe2e29f057c

SHA256
1b9ddc7303f48ada03b19ee262e9e3677d57428f21df616e415eddd796cacdad

SHA512
2e93386466bd2004c41da453ccd642382fe96dd87eead6d92c6a339eb6f8f587ba71fc179b58bb1c78b2fb9421216f537748a33db31c852e09e32c5555e0f2e5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9e22c669730604bebf2144fcf8ef2d31

SHA1
d3ee84dca350fa3a0ad4e088885da592837096a0

SHA256
05c0b03241d8500799dd23f0e884b37604d2f9047407c56b5fe75ecd8c223b44

SHA512
bfb9913b9bf5cc201cb3d8c6ffff5c2a8e99a590733aa93bf9dbe3f0f1f618db56f9d361b40e48a8f67ec0a451c0e21fa038d4d4d44183aa5e3d11beaed0a7e0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6993b37f62cfafd4a0d4bdf79d407862

SHA1
37ed06d2e67bd6dfaea79b89692dff20b724896c

SHA256
89b0eddbb7c3b261cec30d915befffd7012ed430251c1d1e27aa3140f8669852

SHA512
edc87bc40ff68004c8ecd98686b863baba4458b1c58b53713036694e7273c857d03f9be06fefbad81e20c86335bcef4fac3402ed7103f072c95c60318d2d2aab

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c3203fc659146b209219e61627f7185c

SHA1
3c771f5bd1c27202eed4d415e6297717804faee3

SHA256
a1cad18e7a78a394e263a6be0e70f823cc433aa04b1bad4c0c8bbf94ad5e81ed

SHA512
8b80d934ede4a6b52f271a0d14d8437628b4aecd404a9c5eba15c953fbb630e08b6dafaf0386cc721b56b65e4481d9104aade3b9582b354584dffce7b7e3b428

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6ed0d815fa4eafa2721ff3f22971aa7b

SHA1
b9b0c03578c8777a5ed00fd895cf3ad5fe79b2f4

SHA256
e6b2466d5b36955651db64887404a89d00a74b35210fd660c9a29a85ab3d768e

SHA512
d3e48c7aaf75f6330a7d6a350225cf355ce54c17929109e9bc6353120309a8908ad71c7b5b64d987bfd3b811327be2ee47c52625eb035fcb224936ee812e1e16

Download Submit
memory/536-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/536-436-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/696-440-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/696-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/748-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/748-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/748-85-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/748-79-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1256-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1424-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1424-101-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1424-102-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1424-107-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1648-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1648-353-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2044-73-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2176-398-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2176-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2348-437-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2348-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2664-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2664-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2664-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2928-97-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2928-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2928-90-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2928-91-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2944-62-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2944-56-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2944-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2944-67-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2944-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3276-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3276-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3276-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3276-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3468-122-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3468-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3468-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3468-33-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3580-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3580-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3944-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3944-441-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4008-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4008-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4508-8-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4508-1-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4508-9-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4508-77-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4524-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4524-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4648-136-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4648-431-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4832-435-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4832-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4928-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4928-17-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4928-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5012-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5012-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download