5cf08542172ad7453bf1a47f5f85bdc2b52308162cdb1a6f3116d585173e6feb

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a3cb3917c5d46d4ddedd78334b84e0N.exe
Size

622KB
MD5

d4a3cb3917c5d46d4ddedd78334b84e0
SHA1

36954fe2946d4ee8ba50ad84d43b14d425d03530
SHA256

5cf08542172ad7453bf1a47f5f85bdc2b52308162cdb1a6f3116d585173e6feb
SHA512

b02ba18a627b95f4cbeee759dad5fc80b117882cc02bee8dca87941680f21c420005e3c80cd087a9361f86bb24ce000c1a4181dfe96054dcabf50091253988fd
SSDEEP

12288:suu3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:suuHofe3y1sInB2COzRq8DvFqt

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4724	alg.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
2628	fxssvc.exe
888	elevation_service.exe
2012	elevation_service.exe
2528	maintenanceservice.exe
2256	msdtc.exe
3256	OSE.EXE
2608	PerceptionSimulationService.exe
4732	perfhost.exe
4188	locator.exe
4176	SensorDataService.exe
4560	snmptrap.exe
4800	spectrum.exe
3760	ssh-agent.exe
1828	TieringEngineService.exe
4544	AgentService.exe
2216	vds.exe
2644	vssvc.exe
4888	wbengine.exe
4056	WmiApSrv.exe
4412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84654354240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\System32\vds.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\locator.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4a3cb3917c5d46d4ddedd78334b84e0N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5d1f3d228e8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063058ad328e8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0ff24d428e8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c2c91d328e8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065cd6fd328e8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f256b4d128e8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000453a20d428e8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
Token: SeAuditPrivilege	2628	fxssvc.exe
Token: SeRestorePrivilege	1828	TieringEngineService.exe
Token: SeManageVolumePrivilege	1828	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4544	AgentService.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe
Token: SeBackupPrivilege	4888	wbengine.exe
Token: SeRestorePrivilege	4888	wbengine.exe
Token: SeSecurityPrivilege	4888	wbengine.exe
Token: 33	4412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeDebugPrivilege	4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
Token: SeDebugPrivilege	4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
Token: SeDebugPrivilege	4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
Token: SeDebugPrivilege	4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
Token: SeDebugPrivilege	4568	d4a3cb3917c5d46d4ddedd78334b84e0N.exe
Token: SeDebugPrivilege	4724	alg.exe
Token: SeDebugPrivilege	4724	alg.exe
Token: SeDebugPrivilege	4724	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 5432	4412	SearchIndexer.exe	119
PID 4412 wrote to memory of 5432	4412	SearchIndexer.exe	119
PID 4412 wrote to memory of 5552	4412	SearchIndexer.exe	120
PID 4412 wrote to memory of 5552	4412	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d4a3cb3917c5d46d4ddedd78334b84e0N.exe
"C:\Users\Admin\AppData\Local\Temp\d4a3cb3917c5d46d4ddedd78334b84e0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2256

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4176

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5432
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
a96bfe48eec6b83d952e946e5c420fb0

SHA1
277998ff2b99841ddf2825d416d2fd79da6f3db6

SHA256
c9485c24f7bd239434a178139e54f214fd5a877e984e2cb575c97159af22045e

SHA512
d1e72eb1b3cd7887931f09d9a8c880c4016f8fa47cbe31454942f4e46090a63dd7207dd1062a9e79e3a1e31b733bd07534fd817d452e8b1095aa69a4097e3ad2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
944ccd8715a2aed53506dbc0266584fa

SHA1
677bb4d6551675a87c733721e36dc28b898d903a

SHA256
a70041a40f340b48876d840f4dc43310e9c466d410631b13177fd0cdb1b760ac

SHA512
ae9141c0aae1d24f83ce348c83c196ef63d093d02a46e4187dced117dc090551e1067cf93b977118b0eb054b3b1f3165311286c6d88f93707e53493f6bd40a91

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fcbbace47481fe2e76e1e434272c06c4

SHA1
2604934d9d47e7fc64d94e14109e1fc22097f8c7

SHA256
67cb9735cda52d8f42e98bc79201c93e1afb47b9720aa8f6dbd4a9ee8f522936

SHA512
dfd34764d8e3c28414db5573f5f1955663480848998c3b5c6768dd9b5d1097036f18e5cb82e3051f1ec9ec0103161f430d9de6fac9d2026838da875fe0071bf5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1569c712fe3a188b81372e3f62c1fd42

SHA1
2f8d68c422905d3d5384243eaaf41668f1c3fac6

SHA256
d7f4c66f51aa919c3a888c2927a934583497b965fe1d82393432bc68d9b51758

SHA512
9ec5ce71106059dc9ab7f46186d6f62c7b5075897d269fd3ddaa5aa41918f07c86be231dd6b034fb225deb2d85c5d664844fd463c88f003e2ce43c0a100dfab0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
800fd64a772a176f5b48c8004e355417

SHA1
3017da0c5d6abb3d6ab3499b5bc60504de40eff5

SHA256
59837f66262884a9c3e0f1459bae78e0f873fe0e01428cfa29c17fae7b195835

SHA512
2d330a2e50a8e6b833f18d9a889c4e3008a2a0af17a1316fb40d39d4ebe0851987fa06686e6741984a8caa3b6a9b446809f21cebbbd9b2336d08db97d4d40dd7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
eb1f89c61d7047f776a7eed6f0ff9698

SHA1
4794ae17083c31aff8476e057cbedee16cb1dcd6

SHA256
e49e4df7be4aed5a4a40361a2e2d055b5ed7709d265dea9a498abfee2e156601

SHA512
57a939f39a68174e221715739c2acf87b3db61142af1726a48032cd0ae2b47a3c3b9f66fa0d11071d210afc27140de2b49e0a72f8c0c53ccb47c3eda598f55fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
72db46f09904c801dfbf49a23e4a27d0

SHA1
5ec258b8fda54666bd1eea889dfe6a9d2af78d1f

SHA256
1f17ed876e471625b6cab7b42c2ecf6a646c05bcaef6b9d8cd6aeedfef844e17

SHA512
5aae20e09da567463e91303ab5a41535e9896b950ba53cf8c75ff5b74f091c9a9f94a3b82f356db44b9c9f146807b956b001c44ad3f967425546932522dc9323

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0ed8f4b4638f31453e079bd31b0dfa76

SHA1
24b1ef13781ca44f39345b877b0610fdf6aea4d4

SHA256
8c79cdecd3d8aa2cf135ab0e45c2fc5c61a9f66bd50d9c0ad9bfebc4f0d59383

SHA512
6aa3b49a2d180518a11cdcc9171310ac83b1bcad586f97971f469c1bcd659e1f642ef4acf0c084c968fe33d37579b9d73b9d2092f8d213e83dd4f6e5f57dce95

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7b98737a4d09afd604ca11f8ab33cc3d

SHA1
9f58c4d73d73f914ff0ce4b7f3392c58734c176b

SHA256
17c2551102cc5f9ba8ddf0ef323dbabfeefa99bec26c08738f9e04ea6a84ffba

SHA512
f572463289cdb9728fa7935b980c987ece893945f267efd0a682e14e1bd7b0703f54125a4045b8b4c21ccae00f16451eefacff58b558775540f13164850ab1a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1a74426a30478a847918f4d0dc31775f

SHA1
53faeb9ea6503a5ad8d7eefe2ff1e3a8b9db2fa2

SHA256
1f5c4aa6b4b968e4d0aa8db333d81854ea4134f3b7f452dbc47d008d5f5754bc

SHA512
8f33cc29e989a9a864fe8ac8c843ddeae053d10fc0a8922a257405e23881f9927a3a9dff07b202570dee1f85f086580b2c7043b807666ed7c546c3ab37931d5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a0993e4bf17db9f7b20a5cb7c7cf52f7

SHA1
1487bdf10bb035e435520e0b9d51c55635e2c2fc

SHA256
71fa47f2ab2a7211a013eb7acd703c87cc1576d9ef81111dd9b48be5576cb3a8

SHA512
7f31a08c27ca594bc80121141e542d1d5b1904176b2b659f7f134678753236387939f2524d6d0fcd16895dd4d76a9ec5482949a9a8c1268d9334641dc879907d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
69e23c2fc9e27cb0d39de6b5f46a3105

SHA1
7ac9e64cc71ff9b97825687627d569181841a719

SHA256
de4abd4677fd10fca8956bdc6da6acf533c8b4de8001605737a6bab151cb285d

SHA512
c647f841fab76cbebd9abbae18556653634e5194ec4b42dbd024145d93dbd2c8f58a81f8198daa83c92d1dd06206737fdb6e4372dfc37f691d1784bd3e720896

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
56f6f00fa74ae6bb45d73057bd83d460

SHA1
e4a0b5c9509bbfe9fc88447e552f661254b444e8

SHA256
7e6ee75ffe2de0a2d250306be9af0ba6adeb244de75f4a9f45f99290d49668bf

SHA512
126eb6932981d5fe6227b81e85efdd5bae7f2bd58e14a0c347ac88daefc9b533e9d79846b06af065a0449a3a8c035187d926c0f5b4d3731b01bc98d949c96dba

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
09bf375e71e53df67d1b227471fcda4f

SHA1
fcce07c930cc91fe56b288d600b3f546495da2ca

SHA256
3252829d2496f5d3bdb0df726c25d1526d1ecda9dc21b44f8694f7eb5c1e2312

SHA512
f9434ce87f6fcc334f9b78bc42555490403ae2d81090641fed4b1c9209e672b4f1c83c78f1b35cd207227c0601a6bd311cec5a84eb36f2a4065e5edb38d9637e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1bdba114f939ed6ab1b575cbdb36b2bf

SHA1
0c30781d362acd3b43d3e4badf5a873117870b6e

SHA256
cdfa909834fd9f216a6f975683ab63ee97f9707bf6cb000d4cd971e4e20ed892

SHA512
116017b538e5494ba07a22ab29e3206fcd9dfe816c70de6221581533d38d2962f744ed1bedf365f0070ce026e5da3d5f47aacd3533f02d9f28a0492b9e194025

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
48a16d8616a2bb68b1db8930cdaefa71

SHA1
70c63a45e5c8c08e639cee9153bd818f397edbcc

SHA256
bb583afc719c65a561dce51c9ddde01fb4af11577bb6940da999b18055fd11ad

SHA512
8ff75bfe3b7d4f4746ccdc4a75871d9542d85811832f1633aa13b44c4624297ac415635e8aed7dda7c64655d68ae78db41582aad67c4779c0cab68480d8260dc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a67d95182e149ddd15a921ea0c0134f1

SHA1
22ef38ffa136f7a3c0652eeb95a1c78cb10b406a

SHA256
3186c8b0b5b840c4d51233123fae4decd879439a63c20f4e41a8b2a916304e20

SHA512
f9c8380d579cfd56820f3e195b4a62d291ba5fbc5ca52ce4e633af0be1ef6d9c4bcf61d2cf57665d1372c306e53a01e13473b27d6717a25312502c2c4621511a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
fa6a6d93f17116efdcaf1dc22c22604e

SHA1
82cf2c7a5aa9a0112ebe984e71b4504ad9771683

SHA256
bc7fc292b6dabe6318526e98022c5c7fa86b51b1981975253152c24a83cad6e2

SHA512
1d50f606182e8fc5d0605ffe5035f69e5706f7419b88bc99983d38428d1f242ee30063cf78182f979d9b79ab7e1d43c0eb4f61512fef8a51de4d77a45a298a1c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f0605cbe1941dcaa7914e7038ada7e2c

SHA1
ade452baff5b16a6bd5da2a69d9f87cd4d3ded45

SHA256
dc22bf22a13b5b6fa2ac005fc98ace3afd0c6aa8738763437bd78643bb68e351

SHA512
b0bc93c903e7793c6f6641a0d7f610d16a1f033b48a434037d5e1c1b079383e6fba8df60939a86df39f45369f2add528801bc55beb31ba6b8296a426e0f1992e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
8b5b3a7dd5a78e3f76171895adf378b4

SHA1
88ba6e1b5d0738d48df3baeefb95a50e45ea65ae

SHA256
f64010c3815616eeced287de1dab705b073ddf02bbabddfde8814887b7e58571

SHA512
f4ff8dab9d5719417d47217cb7b1cdc003258466d674cbee478866964269f9242b04c7e816cdabafbeb49aa15fc73b16ec3edce58e6e8f6a6364a815170a50c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
5cbd032d4cab10ddb047795165bc6d4e

SHA1
1578de24bb44a297074993396a61480b2ea602fa

SHA256
1f0c2e34dc68acddb12cbc198e88801e46c1fadf313ab92bbf19dabef5c8e02a

SHA512
6fe63f8fc6e43f77d849c4053709346039d2636d050d06f4e328745fa163486716ed7618377a4a3edf52c83049ed5e191cd24d3245e9c1682a7e8018720806a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a926df94c4833e105366813b5d6332df

SHA1
a324e645df2bd9fe54562f8f8ea8d12a5c67a81c

SHA256
c3b5f30569d7275425219ddd4ebde33e06d08d5ea37be866566a4589e277e43a

SHA512
21e0b235c3158a061215662ad667c76a0e133ec88ac21aa873dbb95fbcfe97c72601d9f71d30ffea699ef5b0c9b41f8821ee29edbf69a3e176954f2750638488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d975c6159c0c4ce22608d2cf7cea5454

SHA1
9325d598725665547a3d0327d6ac680ec660487a

SHA256
05b2f445e63f6dba757c525c261d598c7cbe5dde87a56aeaaa45c05a5cacf068

SHA512
bf15d608323ff827df11eab227b70420cf351be5d0aa3332d723bfe747b73ee7b7f3bb473ad69c82eca822a7aced5988b56ead5aee682cb7df88e21b284c762a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5ab11be1457946da34cc9f0358ac753b

SHA1
65ad5df0b34c695694a8df6d113656fe1a401d5f

SHA256
a64eb1da723851493e3ac564533591b81faeab811a0e06b311bda9ed9d015f15

SHA512
09cea3149b878e3ccdbd9736fcb58e6241eb3555e6fd62ee97d0effef0df940d5fbe4546b6198f5b8affbcb531af4b64bbe84bcd55927c178756c23af91c4dbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1190e14d54a97fe6fd1916b58c40b921

SHA1
03dfe68a1ca14ee888fb0cd8dd828a865d3fdc79

SHA256
9c00c0dc0d5eb6339de7f9350ec13a844fd7b196575f62665a855eb01aa2a041

SHA512
17ba8620c9df8c29ea8549c1deb30076b155923b4baca71a4a12625861e0586931e6b588ef78b350a30be5906fd1e51c05ad418e47caee1463e6c30c27340ff1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
61c8d71efcb72c07f1827641ca4fe4ba

SHA1
801f589856190cb6449d9e1b4fde7ae5fcf3544c

SHA256
a518dc1b268c8e5d9e5628b3404b6bb153c3d1bdba8b03cb13b2ab847abe74ab

SHA512
02f576972cfae3af3331a2cc0f08793a6f3d948cee4d9b25a1a48fd4eb2de128f936ff09abb66d2dbeca862443931169d333bff9c0cf9790fbe0cacd6328e121

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c4b4d1c5011366a3ffe262b8b6baf316

SHA1
dd47e98e13730987a3a78868b6bd38af7228dd67

SHA256
9d40be9340330cc2c87ad2d3ac17fdcd9d97e3c0b75ff4e6c5c64a027ff7db4c

SHA512
0fa76671fcda8bf8504f811daee93d3d0311c004a84dcff86d664fb8ab88266bd26aa512aa133a717e0b2251f43a0e7805731ac29ce76986b8869dead347806f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
69d14171c79fca842e450a60e2692bd1

SHA1
ee490a3bd81490e7eb4c470890b6cf79985d6f0f

SHA256
a3a495380e74d2dcf404648ed08b8080121b84e7cd0c631173dce13ff4e31c2a

SHA512
1817fe2b50e04dcae81ffb97db8120b64625a114aa34e7f6c72a6d53795bc9457ea248960942d63d11b35d971a03fdd2e9c0e97e7f00465338c60c79501f289a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
21d2ec6e0374573012df7dc2c51494a9

SHA1
7620ab8dc33024215ab15e06681cb53d81202179

SHA256
9ae8b0b8bad4a58dc62ce51c7cd02ff21939725182eb944833087e98180e0500

SHA512
2f0fce969468abb1cb50b14381e3a7ae1486e79cb40b8678a768f3f440b4dc655f1b581844ac328169acd74d7f1d8293d61a077bcc668cb6e1ae38a748c9f0bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e5ed9997edaa5cbf5b873c5826b4319e

SHA1
83f5a02f35da9dd96c64b4f5f63dcf6d06670ee5

SHA256
531abbe5859e4e33e6f426f814022d3144d555a357a4bd07932f128dc85ec9c4

SHA512
2d23c81005ab0d936d4f6fc4abbd3783620aa16542b8b9037ab01ab7af13a4498bd06b46924015e778a2b1e55b0f44fccdb7b5ca0e26f8a0b1d1cbf0cc1d4ad0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
778ec79a08413ffd119c9d2e9a572bc9

SHA1
522b359c232f7d1d8629e49db2d335f7ba6b7738

SHA256
67d86dbd6579320fb41dbf0396a6de03919e3c1227abc37c5242b25f6f96f3f6

SHA512
69ae5eeda1b056ecd215f7b8c48f8075d45735f802636527ff5d404b5b3b78ee4ff91a49738fa47914e4894fabe8847ebe00b273acbebb228830cc353beac3d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
aa3b7f2eb61037bfc5c6801aed78f2e5

SHA1
18b4fc169591232aa2a6629a72a3e8409df205f2

SHA256
2c48afe62a34d0c6e3650c22923d8ba2fbfc91c4ff81144876be7932f2a62f2a

SHA512
bbc637d4857df9dfc59daa6590e13776204a9ae262f5cb594387dfce3700a79be9ba30bffa4be716787903f2b0defa798151ad53c089698bad95707fb946d95b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
3ec79cb3bfd13f35df1b8b76d27514c0

SHA1
0548305e5d7df8e3fc7035a515454899697a00b6

SHA256
ad6581dda1ef2519d8e50c787a406c00e6b9ab716c1d8bf7b8ad9c18bca25c99

SHA512
7754320b9abbdb00b8dd914bc2c969662460fc89790cd2d7e79a5c2ba1ad7d838f8ca7932b77798bad34234e6a491bd6118f30490c0f98e45d072b86d24bd102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
806e34a47e7e3ede70d05e8765278bff

SHA1
3ac3da6990acf9ab6f2b9f3f39ec225ec1cf8479

SHA256
3f88574062bef0dbc81c048fef39c016440c4139ae88f46adde4e7acb891012f

SHA512
2300c82d4374e578595a60b5d7892f2a426cb380b6a125db549a23581db14bdfbb6bd33e2e57abc9d0b9399d7a0c2a4ba62bb3f9ef95f428d425b4a218683a38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
baaa44eb8b0c9d749526e535c5fc7c38

SHA1
d68c43c5823e9aea82f34c7a9d6b5c34d3843995

SHA256
43af651f9ac8111f9bb48d71ca08e0c5b6283c175b7ebe6f9f024208cfd0afbe

SHA512
76ffaf08ed06f3675756903251385bbfd145e9825bfd6c51f9af9bf04a613fe92127377d21ae507eb90f612efc39101ae71acef6f98a8232bcad9b1ee75129bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a995663f4ae6c8fb27645b21a08e3d59

SHA1
c8f1cb464d9156d94d71a159efd08c51af1eea37

SHA256
7181cdca5e4d0bd619338a43253b36ea5933e0258a779661fbdcd5ad030e5a56

SHA512
ee2bad7897240119e69059b7203e9f04365189dd74f29e0821430b1500139f3f658703eb0c8af7a4b76a2de7b3d06454f9c32760f07c95f3e453f62350bfafaf

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
39ae0278d25687b0900a34269dfce84f

SHA1
58b3a58de6c35eb7203ce7691a6be0f48ce1ce45

SHA256
7690e4f525577d719b26b231f705b58797845572dc504b388834da07e2149253

SHA512
a39d33d20118b74dbed3ed4d0346c1a8e15848caf106c4cd1690acdc347b700816213423be3fa021f01a89c17388ccb6039d66a2a97f041d354a9bde316e6d67

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8beb7cf43981e9c0555c34b2a3d80e43

SHA1
c3b426c15d77aaeea8fa6b957361842b9cd70f59

SHA256
de93d7826d0b2d7fa6de592b4bfdcd9b9d51a7e1a0fb5677c3019c0285c3316e

SHA512
072cc7c05efe0d86517e68c0c329badbc0793d78bf02129b141ce296a6529c1881783f1ff7ee9f173bf02813ac534303d86439aa5db5f304d46ca71b4cadf85b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
14e97713ac310e647979eef907f2cc09

SHA1
32636c7f0936fd78f4b353f27d01a120b51508dc

SHA256
5c34d4db102736d10f7e343cd0eec6fca3f18ca66f6ecd07de43bcc1cad0aad8

SHA512
3ed80157cdc35acd07993214929a3b463cf2e17eb44d55b1828236766754c7775c58e0e03b2af30cd019a89ceed59d3df885c038ea7358982aa03402bbbad4ce

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
69c29b71aa238075ccb359dc73ed631d

SHA1
88773fcd97954731474aaf755e1a50b7f47d0469

SHA256
f84ea910ee2a6d4673815dc7b541ab6f81ec3ff173e84071705baca283093887

SHA512
cfba33387b3361412815abe1d54b5b57bc7812516ec884f4d4d16e491ed74ca6fc9bc5382226b8f1db63dda5d7b7d7d2db44e019eaba6fc17cb1e3ccfadd29c0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
540c7882b4685aabddcb2cab6f5a53d7

SHA1
fec858e50304de8cd1e6d266729230d28b3475cd

SHA256
8a4cbfef927ffcc65f951d84a516009ffc05c7620a6860b4a6dff12d1b4421b6

SHA512
31b500ad475805a0b6f161ea2d1aca450cbe164a02a2f97ff1933a03125b03e950278059c5f453eb93ab6338364f96e2382f4c9b098a294bd20cd28cd21cb3f5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
25a48f885b7384cb6d35b3143b89728a

SHA1
8ead7248da5e1499c56f3a6e9be298fc9263fd03

SHA256
0ab0c13533ccfaa69f01b1e273a4c0a8c41326f3577a1c3df6c1ed0da800def3

SHA512
b7aed1669639006216ac13e938f404b29b0fbd1ff7b7ffb4859f9110cdee7a6f502cba665ecb3ffe23e8cdea8d97b57abc85915d6842229de7a0cac89e944a3a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6f08411f5d9cc28abea158627e038ac6

SHA1
836ed1ad7d340f0e6ff4d44766fb5bfafcadcbe7

SHA256
34fb3fecff2bb518e10375fc7cbac75b829c92753408fa02f79aaa3bef6e1ca0

SHA512
64c9ad435a849355b68ee9bd3c9dde6dd435ea03d61b129845be11f12ac40565a57f1dedc2dc3f09c8fc6a6fa7c533e7fdebc37d140b863174d992354de963d9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f1ca3adc9e8a9bfbae421ae1598412bf

SHA1
3f0d55cded408344fde51f2121dd1bc3818ecafd

SHA256
9855d2a1d38091682bcdb3e7e3cb8a49a4c35661208856f51ad9f97a60917793

SHA512
20173d1e6318e8d634bacecabd88ddd877dc63afe7fc15df6e05f7ab458a0b662b35d912ea236f3327903cc104e19b79aa566056c98b7cb1292c9df98baf600c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
023e756b74c9e9ab78c64eaa3a60cbfc

SHA1
ae32c8cbc1562ff409ea94da3cce54a16ec1fe7c

SHA256
dc1c86b02d50c69ee0065800d69a06d09dd63147391c70fddf56bcc15a89319e

SHA512
6b8b1efac4fee678ce32bf97264ef6f70f7808035ca1121d016ab6b3cefc5cfa9d4a7aa4f77df7508df53ef6b8e396783251c782f0e6cc2afe965676a6a5488c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e0cbb8a631a9f28befe562b75bbe841f

SHA1
4834f61195faf32f5a4143ea8a40138aa03080df

SHA256
71ef307e8884b20417027ab809e511ebb78b4e757de7aa2c8926eb40f4483b53

SHA512
5bcabb8791dae4fc159e20ff327be845e06993509a9c123c8d1e5a2e15fb949acc1dbb053936e1a727a5bb724adaddf002a50e1a6b502a40a624a5e59e4c0c59

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4763c5dd4119251f16cedf7481fc86e9

SHA1
b9c437be7c91feff00bacc4ea30feb252a41bf76

SHA256
5f41f76063d018396119f7e19905aa8a795dd6c886970996185e8f1d5c41451b

SHA512
76ba5fde10ce9a34cd7e5a891beaf5bd88a9c6f63d3520dc518cf16d77070dbef1e2487322652f1c868dc0c83f08f4404380b53fa41dbf99e6cfda4486764b4c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a6dc75153f945e37aed09b3574aaf874

SHA1
ac0e4d12c57a04439fc3349d67b556d6aa46040d

SHA256
e26f87ec3fc7a2e0ea252fcbb40ed866b38eb248e1d0444594b99f1a32cbbda8

SHA512
98da2ae29dbbb8341aea1a862ac64fc8d8f09ddd63bcdbd33b8a5d1477baf0fe639a581d16210a0644c020db1a912f5d484e438ad0ea573699733cb7906b745a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b644b77aa225c214370962eec0e66ae6

SHA1
e8298518f0b017340affd744d4ec3f19c0482ea9

SHA256
32a47e75c756e30d9b7622b0dbfaa11f644595bbb1a17dfe135a67368dda48a8

SHA512
7ab25e38e706ca8d75e3ab6456e4244bd6c2510ac86f5a5edded748a330d23f30d8e987fd0a7302d54d2697ea6e05312e551a162674dcac9dfbaf99a51056b94

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
77442c78f38972dfb5a31b694cda8cf5

SHA1
fcc0cc93eb41ca728c42a7e6e5a58ae829605565

SHA256
4df081558659bcb6723ca2126f99d3093f32d780da51c70da78d52f0d18b1831

SHA512
e247b8386757d4c068af077f485f1c58b8b39bcdda21ad24b7dff09cced00b834c402e3f0cfeb162737254336db651c02516a7f8cf605a67caae70cdec1bbce2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
98f04231613696049af25b17c9f3100b

SHA1
34467b2de9801a337902f5815c06554dceae4dd1

SHA256
1374a14f6be0a90abd11e11e4c62d59185c46735e1b958841d936c7bdac47c27

SHA512
efabe1bf68b8f5d8bda908379543ff06579223972a6b0f47cbbb39ef83fc1bbdd62e5f03bc40c450d527fd57dc3441136451001e7c66b5db0a960fe9b860e71c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
52ddee798c6480c7bdf3e4d2d1136302

SHA1
2b73b882f8c9809729b8a3d6712d65508b5615a8

SHA256
2028efa0152efb483349c424651a6e1df70500b51939e1fc6d1adcd92f8924b6

SHA512
170f8da57a6ac51f643e1561ff55aabfe3d344579b77f78b70fb6938cd60b8963f850577d112c5ee1916a8d1c96ce719d0cd9fca4522e411426d3c122cf9faa5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
26395bcef85b405e3d8ec35d5cd496bd

SHA1
dbb5679400161fa693b303e85340d7dfa7834a9b

SHA256
32f3649eed5230485f12df2af8cae018ae8ac8374a864893e1dd00afdfeb6862

SHA512
096c56bdfcf9f3000b34a967c5c9dcca0702c4f9305ab1a9b64937d561ba1927c3bc287ca1e85558aca8d624f2e61bf58cc730194f33217c3f2c854f2a7d99e5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8925c078af6fc906fcf43f89e0a7c4a4

SHA1
3466f626a491a7c3edfbff21b64f92e22c7391d6

SHA256
50ed97c80608b00ff88a7d6da8f894e3111a6a854226adcfe0a94675edcf7259

SHA512
62f89b2f70a060324eafbcf991fd6e9c44692d2703d40f3e818f1c33302d1e631980b0839ea6dfa0695147d2d8582d1a70a07ce43b38583d721b229a109b1986

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5a70ebea0e032d7a805b47c34e4b97d7

SHA1
118487386462980f024b7d973fb717fff977b21f

SHA256
26c3eabe26d8d7501c5ad15312f7a4739e1d2bac0958bcf196fa337616c085b9

SHA512
d884f66d32deaf82c57b9b8635694388cbf51e1cad1cc72fddcab44f69d1b042c676f7d4873518b3793a9de98882ffe9fd50e5a899aea1f3ea83e647baf8dada

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d79f4eacf624a319146dda7fa8eba43d

SHA1
947b1cecbaf2b71b808cecb4b38cafc60dfec78b

SHA256
4faadb8f947eee8debba5c450c637c1bf770893ed4473157df4b2e6d7bd8cfc7

SHA512
708b56c8f62fddc4c8618c299fcbb15802760750964415ccfe9e50cca85979fbceede13c2bf32da05961c825782f07f92aacceff4fa9730a1d7c3d0773730e7a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2a630fe72dce1d57778215fd8a57b6ae

SHA1
c0fcbebef4659a4a02e07f089f89702982bd3a99

SHA256
fdcc1f96673b8fdad20816d55350b0033b3e8c50b556e712b8760a42dbd49d08

SHA512
cd2be5a4b826f6de375b02176408a9a8273bad12d870e53c8f12e901167fa6b08b0c35f62cef88d58da56c2bbd67b1e4ed2e176d79c3b73419ffcfe0caf48332

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
cdb00a79884a6084cc34cff465674ba0

SHA1
30cab50fbcaadcaeeaefa24790b808b5583d60c9

SHA256
dc592999fdde7e0fb3ea1c2a2be7c10ef498d4e39b30388bdaa93bd1e1fe9796

SHA512
e4397e99630899744ca0c136579f270e8343d6f04c5a1d66fc977e231f72cbfa906a34f9bf9b436a08cbbe0a42513236f7e7b05003f37c630b37815fcde5775d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9336bcc9b4906f88a010444cda4d7a17

SHA1
83bbb8afc9cc08d11b2fe669e635dd2a4153fa01

SHA256
4a1ebafa61de363dca3fde944dc6fb99d8b257dc6f73790ab1c02547689b2cdc

SHA512
bb7aae991d26b0cc41f2bbe999ab87e65e92c037e940eca92b51bb72a31c510dc296ddaf860d1f3f1a559e6eb30a3c594c3eef352afda6f94f7b262cd2709987

Download Submit
memory/888-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/888-55-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/888-49-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/888-512-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1828-267-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2012-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2012-61-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2012-70-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2012-513-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2216-260-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2256-174-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2528-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2528-74-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/2528-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2528-84-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/2528-80-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/2608-176-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2628-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2628-43-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2628-47-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2628-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2628-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2644-516-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2644-262-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3256-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3760-259-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4056-517-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4056-264-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4176-253-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4176-495-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4188-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4412-518-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4412-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4544-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4560-255-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4568-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4568-72-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4568-2-0x00000000020C0000-0x0000000002127000-memory.dmp

Filesize
412KB

Download
memory/4568-6-0x00000000020C0000-0x0000000002127000-memory.dmp

Filesize
412KB

Download
memory/4724-20-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4724-266-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4724-12-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4724-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4732-177-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4800-257-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4832-457-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4832-28-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4832-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4832-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4888-263-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download