8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 23:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
Size

1.9MB
MD5

11d9788242c66e9df7de38373b756c64
SHA1

0bd4c00b398574eeec3513118064049e0d55e2bc
SHA256

8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e
SHA512

3939dd1ceafa6cc19f7af7036aff758c31a5b83d2ee1e31421d704d69979408470fb75c4575d580be682b549c9d144840c324b3f1c6ea7b9000f7c1c129a56e8
SSDEEP

24576:M5lB2hkhfvCpf2fTf2TNjx+mZCkt76f/24pN+XNqNG6hditW:Ml2hEvC4fTf2f9Ckt7c20+9qNxUW

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3768	alg.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4724	fxssvc.exe
2068	elevation_service.exe
5040	elevation_service.exe
4996	maintenanceservice.exe
4608	msdtc.exe
4160	OSE.EXE
3500	PerceptionSimulationService.exe
3668	perfhost.exe
4592	locator.exe
3960	SensorDataService.exe
2320	snmptrap.exe
1752	spectrum.exe
1060	ssh-agent.exe
672	TieringEngineService.exe
1968	AgentService.exe
5116	vds.exe
1132	vssvc.exe
116	wbengine.exe
1960	WmiApSrv.exe
4448	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\locator.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f83749a14521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\System32\vds.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008243c13e48ecda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002f4f03e48ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074809d3e48ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f88a83f48ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4399a3f48ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2aeaf3f48ecda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4bbd63e48ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f7edb3e48ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c02613f48ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1624	8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
Token: SeAuditPrivilege	4724	fxssvc.exe
Token: SeRestorePrivilege	672	TieringEngineService.exe
Token: SeManageVolumePrivilege	672	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1968	AgentService.exe
Token: SeBackupPrivilege	1132	vssvc.exe
Token: SeRestorePrivilege	1132	vssvc.exe
Token: SeAuditPrivilege	1132	vssvc.exe
Token: SeBackupPrivilege	116	wbengine.exe
Token: SeRestorePrivilege	116	wbengine.exe
Token: SeSecurityPrivilege	116	wbengine.exe
Token: 33	4448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeDebugPrivilege	3768	alg.exe
Token: SeDebugPrivilege	3768	alg.exe
Token: SeDebugPrivilege	3768	alg.exe
Token: SeDebugPrivilege	4820	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3560	4448	SearchIndexer.exe	112
PID 4448 wrote to memory of 3560	4448	SearchIndexer.exe	112
PID 4448 wrote to memory of 1220	4448	SearchIndexer.exe	113
PID 4448 wrote to memory of 1220	4448	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe
"C:\Users\Admin\AppData\Local\Temp\8d1bc089e27b49eef32d062b076f86ba4f50a020d4b6aed8eafda1798179d10e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4608

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3560
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
24733f59af1c63653bcdf977b96dd599

SHA1
02f4045e5eaa57d7ed43d50b628b806f61f49f8e

SHA256
c24b326c53708b166362c0a6af2ed5b11da020266e0cbc888312ba7137082d09

SHA512
579822c51a15f3f294f34dc744ad9744c953d8fe44ba80854a25a58a55e5266e2d1d80d6b2d0fc8534203f0b2776bae1ba1e1ba777fb78e259e4fff56f8fd523

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
aec4ff0fd7ddf7f3f687c27472e7d676

SHA1
3c88b02959df4a171ceae64ead4886c1477c30e3

SHA256
9ff928a81d3d72abfb98c81108ab681f5c1ad33715c921469bd575972e15fae8

SHA512
b5e9afa04de07b1822d80e5a274632da305f7e245da929aa73b9ffb001821f8ea24dd92f9d8ee4cb3f73fcf204428d783f3bd58f83c715401f63a844aa7abdce

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
226ce6d1796e8ccc5f41387177a68616

SHA1
f15dc6e7e96ee287b410232ff8d20885c68848dc

SHA256
9b2710168be4df69b048180a28766b1250b17b33fd28007230936779f9e28ddd

SHA512
e252f44843638edb102f7ce94cb09ee5bd63f8ae3e2d81ada81cc7b140cfe5561b5e5fcf6ba0ad6c0b6379d19b6c7b588aff9856e30443c0b060a090ea831f89

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6a5d4bb206fc9ccda8d6fa0218f2ebd0

SHA1
d56fe898ed10e6282a2ff6fc96f9100e6eeffaa4

SHA256
56a053700ea7b3e7b4d869c04aeeb9a01110c6d0763aba6fdde8419f0f729f90

SHA512
acf1326c6404e5ada47c96ec7a490f658fd6a3c994c99acb5821860b58c4a396f28dcb79ff6b0d5c60c32bb2f4e13ee88e2b6054f426e892af0c4bb7eae1fdb2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a4527b9000861f8a8d1cfc07ba475462

SHA1
713d84abd47e3c23cb2c26de936f6e8a62d00717

SHA256
e0a23fc829befb97d7ee357dea1c035e34599e24b37628d52e7aaaf27981a624

SHA512
e4425da6306387f50909755243356a5cfb8d028a5a3fc2dc919f98f2c00e6818350ec6306ae58d0ea9a35c5d398dbebc89866edfa66c8a38d5faf3d94b3ab458

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b96d8edfca5d05e6a0938e00c377364f

SHA1
f2dd6ab2bc90456fd39097e17881d356eed55d0d

SHA256
6d85dabed90ae67fa6d8f317de51ca33cba36d24461d26228ed0617d48f5c96b

SHA512
1cb4b03b29fbbe87030f7d64db9212c716f63a7a6769325c2ad43cd7a2ab8966a8cf1d70bc439c4bcc9a354f7063efbb5fc6e6acb3223d5e7d421b675b6c14fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
920b1f0fa97be0f3795273080a4815a4

SHA1
bdb679fe400c5376ee9a375e7a835b2cb0130d39

SHA256
0ac68bf8252a1ab4b948af0f06748f49666bb7e67316d38d4de32c2c19dea9ac

SHA512
38b94ffb8133c88811da89bbe7ac49761d3d7b10ec704a6e09f9ffb433f2d1cc108f921800897b315ff7da7e8b0bedbeefefdf37e1d1bc54ef23b04488739dac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9057d0adbf6231d7bc641b7ffe7837cc

SHA1
19a0966fc39b74587a6201ba7b620fd504b2690c

SHA256
56c51102dc0fde8924df836ba96b3122ddefaf2f11d400c85aed482bb142285d

SHA512
7595ef8bd3c4efbbac401b8b808c6b2be02a1be5a4546574876b37f28980b48530adc105b53fb8cedb7fd4ac4da8b26cf4764bb55e8e5bd97a23a4bddd7e867b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
a2523efc48b9587b6fbfbc08ec79f365

SHA1
eeb6f8c6d2dcbb3ffae7db5f86fd129086f57d75

SHA256
47693a735833e3d58d214b03d68ba7eaf168ec06208c66212a3ba70ca5172b12

SHA512
dc2b99e138333b0c94b3a8372dccf70af85a671eae2407fbcbed7c6f54ff3450654af4a37d5eeb9a6172c16506d91d37970d9f900a9e024bea5d4d9abbeedd98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b77eef4d535478ac5848f7ec675c280c

SHA1
dc0ad494a6f2ebb1c9f18b507653b975e8b86c25

SHA256
9e47c8ac58d8d578c0dbef03ba3ffa07646e2c91379276eb3a7f46b11c8f40cb

SHA512
1cc5da95cb29765b032ccf154220e0b0a6e03f21fb4273146c9816529cbb96de777731a63432702b240cbac63ad5bf6444d72bbdbfcc4006d6de80a105d58c57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
214bd33c26212034cb84d592b87f3b88

SHA1
e7dbb6f2fbb02b4a12e553e374db8a4ab641c764

SHA256
caeb118fe388364d37c82e8844342cc655698cb5dd47486e229a61ffaf3eaf77

SHA512
6b9a7c83877997444c4dc8fd2226624e29cf9bd60b1692cc9e3bdda41fb6e037aeeb6ebd2546f3450c79c92bd7761d20aa2a293f6f37475864e661fc8d1fb764

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8dcd8874a2a2041a922b49d6f7e15c23

SHA1
049c424501c172cee56a78c64ab27eee14d06d96

SHA256
b2f384ffb863821fa8dc9ee176cc36449a4ebcc1c32eb656b42553f14450972a

SHA512
d76e9558cb0d9516912562f599ebfb8e2f04664e7e9b039c0f47f4b0caa07aadb08c23ca19831152fac5c492d200ac86658d99e9e429de3f98f975b1fafafb34

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a483960374b59299130638739beb8c0b

SHA1
0839bbf4f900db116c5d89831455f16226561949

SHA256
7c1b62bffc4c797fc6ceb2300b44b3e13606316519faf2d6baac8f324fc0c5c6

SHA512
2cb44d2400dc321d1673ab67f66486fd92aff20de2761b6e622e1a78be30da542d30ca68ceac64af2a4b1128f50ecf303d81b4cf1ce44b99f30f14ecf483132f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
a88f61e02a95ad17e7d31f3c30c2c93b

SHA1
4fdccec3821ecb88329cee9205f1c3b7ed3f99a4

SHA256
760815ab81fe600d9dd94b1c643eddadd3842bb384e58c412d78b45de29b4e52

SHA512
76851400411c3629dedeaacf14eb26d2f0dbfa3d5d1e8dc3d5a0da0d89a4fd7852543a27ffe0643395b088b02db1032ed2f3061c253128c77edd75ae9343ac8a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
255b22f75d54ce2bc1ebd22d0bca282c

SHA1
ab03febe0506256f0bfc842a4bf5cf1157ca42c5

SHA256
0409f75088e9d03cf5489d6e84d93773b3f427301832acb4141c1d00ec20c8af

SHA512
a230d24a1001664a602dc62d5302674168e80513c6de69e92a41983fe6b6fb4c8b82bb188a3ce90cd249bc14b32287bf8cfe208e15635d0ddcab305e6643d2ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0be791eca2c888c279380803c881f1d8

SHA1
9f45ea1adadec2b692215fed5c6b3851fe75f04d

SHA256
ffef436cc3b45240ab33e95e5064b3a69a726f5061ae52a27de048e94901eec8

SHA512
6c358e82cb8018605cd67db001ff014c7c9221dad1e4e74a5c20cfb52e546fca99f1edac523b13ba6ea21839f86a6d5fcb953a6a86ec8de1d64f54e501d8f686

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
17c51ce25a425c08812cf5f8df18f239

SHA1
437de0cee8e25c62bdd09f9b959fbf9c50c6616b

SHA256
f91f9ac6dece5b662b83ba189df16ada5f3478ec1727d336feef225110ded13f

SHA512
d10b5383fe9b99b5fbe0f59cb389ae294ed8c5b044935d32eb0e9b26af209d00f4e0a8dcd1f88df13a739c0ba2c97efe3d287ef9f2bda202ad843d45e6d35fdb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8f686e03d3c9342fe7a28f6c2f15b5bf

SHA1
c743da1afecfd8389cd2d1ef22172e52a93cb6d5

SHA256
dcfd22db297b81c4214051809e92dcc2ef45da9b637550fbc9d4168d7d9994d7

SHA512
91fcf103858a965bb1f79b4d639dfc0eec1a155963060866200600b9600529b00bdfaed3e89eb0c1ccd7f857fe062ff175d05b2ce54438ba03ffad02017c984e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
fa42d9ea96e62e6d98fbfd43723ae620

SHA1
8a3ac002b0da3ce270baa646aaec26b2e6b2674b

SHA256
6ee06ccfcb3073c4d57735445119acb5b6f4d4452fa1f43f1662eb34a3119963

SHA512
ebde04847ba86c1c2092c4ba8fe295cb0be6c66a13ebc3a28f0c7dcb3e38e35967c61899796f016c4f676e33a3fe9130ad9ded236c58e2144b34ff063ba54346

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3e32f0ea5bf1d4c61382a8e4e093bf58

SHA1
7f77ccbf4430535e2990e7049887669fb78e9d02

SHA256
fbdec913a156f556af9bee8b6d6d8dbd99672e340c7ff6f3d443265406b3d1b8

SHA512
605b7a5cb5eb072278ec8945023805d02ede3ca71bee4262884a167d511473ab00cb79d0f9f9e6e7abd969141fa08bf509246109f27db84bb2f77e381d690982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
8faaf7d6b2942c55f4a83852c4cfa805

SHA1
5c12d4dd1da1b287b07aab1bc151b7065917aec3

SHA256
ecb13b041c0aafb9fe02faf7704608ce667b39d6803ebd3a8961a0e49cb05726

SHA512
9bbac0c18f929418385d74c1485ecf174d1e99ab0f559af4453b9c4a3237c30e1069c41e216cf13dfc841e10471d0cd2fb768076d2f8479a0628a32baf2477f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
2c0d07ccfcf10cd1173928f22723f692

SHA1
fae9c54618e90ef3707923383c3b1fff954fd80b

SHA256
5b55ffee9f3982e88e0bee9a198404bc9db4a9fcad441c86d46f0184f0265153

SHA512
debfda4302300c8285bbdd8801678d1c86fab878db8ed72e832b8fa17cdfa3bf90d4ec71c4c0ffc0a63e5e01e428996bb72e1137d4fe57e3bb777a64d0f6314d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
631676f09d14ea4af3f5378dfaab3be5

SHA1
bc68019f24b970c87d8f6b88de891e0694490521

SHA256
21c33536448803dc4bb9a56e500887b758aa3f553380cb5b20b32dfee3dde5dc

SHA512
9c899ee72c015f93b745604188383dc8b6a3dc72942cabbabcb43bf0bc846349a8589a642bfa3864f1458c9772a930354b5e55b923aa89e96ca4f1a6edb7c7db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
c04da8555009e2616704f751a029ceca

SHA1
5497ef490f13b83500aca26bcb6a943aba85b95f

SHA256
cdb5370da56229491988e9ec95ee974ca3869c26f429d5c28695acbd8b6a0795

SHA512
bf24c3a0db0d5309f8b31fce729c191e41cb9dac1cb899e73768a6271aff968e715ae483c1e9886f06dd3aba6aec2f409952049a5a2fdd0d937872121cc163b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
00b1b79798f06b4846a3bd48bf930f7d

SHA1
a7203e29a738d7b7265ce2924eeb01bcd9fe15b4

SHA256
f65bf6537686ac1685e6f66d10c164539a5d12f29f16ba7dfd06f08ab8ec1cc2

SHA512
d7563dd0f876e4f10d4d88136f8612941fc6df14cb1346d2e813ed841ab6f34c45a6813b99cb0c3109d1b362dbbf79102a6036bd1512d062e2fef301e13ce410

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
98c2ffd6de07c4031eeb8d6ce3a8cdaf

SHA1
a44d667c747cad92555939afb363cd397bb9eba0

SHA256
761500f82c52f9ece7d83abc0804552f47adbc7e3366a9a94fc782656430fe93

SHA512
f625561a082f5a22555f77e8cd254f1e576ec2cd78605b331d07cc964df35e1446059de59b7e65c075f4f8a220ba71c12088754c5e2dc1f92412c095c45c0f9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
0d4ee422c1c0f76d8a937dd6b88aeefa

SHA1
9c77d945d99aa350f9582e2ae532f8ace94dc8c3

SHA256
8587e70f0800471dd78cd82204508431826fb82e138016d8ca548e95f6405127

SHA512
db5ece363791933aa7b028b2cc653d8ff7aa781f71a535d7f691fdd04c70db151d6ed80ddfc13168f3b9748608afd7981d7ed6b826cdce063ed9e62581a255fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
c261dd7b84cdf1b52bc0247be42d027d

SHA1
5d65b2b464c4dee3746c4e27986a95fb0bb89393

SHA256
08b56332f262b5454bd8013c0ba50edb3cff8eccb041aee6e9b6de1c25f665a1

SHA512
02cca6e00e615f679426ea1e1627eab7b1e5f77a94206036741d2cd83289e260b61d741684f36caf9b27fda06d1b82b36ebf62a988006948f2621f2beae89256

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
8bb0b0df26819d34f5aeeec92a534b0b

SHA1
2c5df1f8f92b26d569ae043531341a42a4f1d604

SHA256
59c64ffee477cbcf93d5db3faefb4d1f960b036c5926774ca5a900b468a54c73

SHA512
48eb84c17cca9f9ef02de9c44e00c915df571cd856322dfe7adbd5daa93c53a5ff831c60d5d2126e69ab7af1572df40a60ebf99cbed9da4be47b0e10aa845820

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
227c3098941c8c1a478749b6e54d150c

SHA1
37e6df46ce9ef2474e27c75b68d8fc81f4d7a4fe

SHA256
9dba24ea2407d1e4a500f72bef5cc3d5a461a0fc4a715960442086124901b650

SHA512
60a3cdb561b015d365babae9a024aceb3ebc55c33f5eeb3c2fc10e613048cc4fb2ac24c7d0bff397f01a4d2f95557790c2dc53dfbd1aec8e5b89d2f45530e965

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
8ac5f5fb11da9a7bc8f3787aa4360492

SHA1
4b51b334d5b056d3f087a4b4ed46f8aa15f1abc3

SHA256
3fd90bef132ea28500dfffcb4820fa00e4223aa164aa1c64c7d22cc1e4f8fcd2

SHA512
c605ee4daf0203d2d5d9cc1ed22a308b5633e2afba5d4a211b610c3c9dba5dcc276aee62a929b7c25b3c9ec93f94d66b0d0ff7f102076512a3c64cec23da7673

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ef4d1a79fcf43668edaacbeb5adc59b3

SHA1
d73ae15258d0e4a54d2b8d746019cb0e1333fd07

SHA256
d9ed11a8cd7eb9a6eeed03efd2e7087df619a0c655ab323f2191b08c62d9f41b

SHA512
105ed0fdc5eff3b7dc94511fec1d23081c331ec76b88943990f05565edfdfce7295e25cdf90e0faee6be4b6cdcc50aa3e0f95d7a33560ca80817e2208bbe3918

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
56e6396beb21c5f9ea159d847d7f15b9

SHA1
bc9f925dcaea240f7afeca278c89afacb730e472

SHA256
8469606997f9ee6177655640f273c18856de27aec2bed4e26b041152f6040411

SHA512
be76ace807a9a2767711b50a45411eb5217afa708d4d99ed577e25cbe4d4637af8ef4f407c5e2675b8a45024ba64540f746a8323e5a26358f74c46eefb270f5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
17146b4ae04dbdf1de317ff9c658bdb9

SHA1
c83ce2d9f6569115d5235670fb79abc44314f145

SHA256
15090e68a6f25e02bd20d91786ee6f42f706d7501bd43f2dce9b2fd18497789e

SHA512
cf09bbc1a4d7a8c4d404d83ed18ebc0c3f2b6e1b7144f2449b8b70642ee990494f6d7ba799dcd4a791023a7cb1cf9f40a73fbad4cc241c4cfe47455b316728aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
2ab8d5ae5eeaf06fc39f6990952e69dc

SHA1
b41bc0d7b5f8160316d7c91d667d488b14ea8e11

SHA256
6afa4e258369cf9c77898abcb848a4870db1e3cab1db862216d3c6b0e34d5267

SHA512
1c7adb280f3602f6cdb8a17ebb527d02c2f9bab1b702d16b20f19d6e39473503f8430a4b8dfb4e52afc412a0a8f58abeb5d4dae07402d25282de9bfca4a62aa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c17fc515520d13974be8797476312594

SHA1
84651e4c42c083729bd945e5a2a80b78dcad3c66

SHA256
d7bdd01195dd300f575b9fc963a4feb1ef704bf6c9876ea7bb56908fc4862e26

SHA512
679d3b93a496bffb232d86ae534593dffea223b9561f843f063ddcb1c5178b8ee84b7bcbe17721fd10f091bfa479a962127641ea7f96ea47bfc199c90a21ee28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
83d2ff51c0ac17563d276d958bda5aac

SHA1
51e2f3e270354e1e801aab4218bfa12b1e31ef3e

SHA256
f6b570f0fd520955a174db08a95e4e97dec36ca287f7e75878a79c74bfcb90c9

SHA512
f0efe46ae59efb515a2155e9e788bbae7bd6931399f516fe9bde92c9118e0773db0b0a0336b6cb48e6af4bec7685b6602d2ab6851be3f8dcd6ac34c3043d2174

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5da102133fdfb446767c2850f745ab83

SHA1
4bafa8e9087bb477d9a534e7acffb384ef6aaf55

SHA256
853994593a7aa36295ab73ae2524a70069a425c233cbbb4dd0a7f01f8ebad5ab

SHA512
3237da932a10c8f85da503fcc5bd67dc7756e317c5dc6a64023830b30be209767d12d40e6fabf71a3d30d64f36d85f75512fffe4c3a6ba60bb095c1131f555e9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
d38fb9beadc459c67fd3010f05de528b

SHA1
b465edc9f9ce6dd86d4ce53f4e298418ea70e3b8

SHA256
5a250b0abd507a23f14b4c71237315bc75e54e979f5e928abe38c95a4eb96960

SHA512
82a3ae684eac53cc3a63a56653ee31d280f463175767f63990daae7bc4772fbd44d72eb69a63fd8e649ed4d0f75f881051064a3215434b14b5e29dbf6893d5a4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
675245278e100e4bb9238e249e7a178d

SHA1
400651fa527b633a38c3c881ff1d4897cf875393

SHA256
b44aec457f2ef70b9bcc2d7e4ea4fea7e7673187290b6b2eec8dcc371b36008d

SHA512
617aea11b678871809e413e854ddb6d657c83fca621b7d27c30ade3c106e2ab2a743a33bd8df59403beb3dc19538ece90491e4b67c16f53aab1ad1f8db3f347a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f1096cb381578ef0cb94f444dc487ba4

SHA1
21d5050d13fcf8234f07d0fee460229d7ed29e9f

SHA256
eeae51a0a0a8e0a4038749cf151cf4b2345dd706df6646cb9627412ab200b127

SHA512
de2faf4d45add424a4796ec358ea97d11dfda6614d20fa0f7a69aadb78f6bb1b93a5db178fff1e300bd519f8671ea833097b6d1c9eb3e5a9902eadbc130de1e5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b08c213315d50f00796943c671e3c942

SHA1
fdcab0bb09ebc8a9d729d237e1e15b3ed40262ca

SHA256
00e4c338fb8c5e7301fed7a07be3c1e81d7add3c7eadb10eb1b1a00287252cfd

SHA512
f4cf644464c9f8235212c7bae4e6440f5ba25698c777b194741f8cddf62ac1e1fa18fd46b47e50f34130071a2a5d18fa843d24524f529084594d96a8da05320f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2616c956e13e9d9229310962b8aac3af

SHA1
7024a6a2c5952204d74e83756c43a77fdee30917

SHA256
7d8f4e6dd9e7a5e57851ec7fdf2de41541ee06c1e731ba229d856a6f402d5cc1

SHA512
980cc649875090235457bc65d8556b34feb9a2ce444de715e32b139cb18a509b46eed941d5b95f8e2f57e2d8159dd6d70d23d332e319351cc2d3cf5bfd8ae6cc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
056308297c9e34c4b351ac50724607b8

SHA1
911a3a6aeab47a66692196e99feb7dff2b9c9e70

SHA256
3609ec45db55f9ce1a50b56a5f9e8556acf8765135a9d00602bb80b370f63163

SHA512
7b7d1e3b3f774b9ddd60f547c558867013ef8d5bfefbeb844e493286d0e95f4b3f5d2d98bd2a60181850d8c82874bffb9f2affaca8424f92ecb8b1c898734ff3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1873885b86ba5de6bb3da4f50e5bf4bb

SHA1
33be7a8bbb4784cf6dff07dc2d86e89e2207dd8d

SHA256
4e7c62d45e1ac61b5345633d21ecd83e5e3b71f6bf7dc0637541a40dcbe31891

SHA512
3567181a5fb2c0e9f63c3ae06105b1a9488b4874f2323ce8b808294f3e9a155f4d862fa15ae74d59ce08c923550de70778d029f8251434541ba0a46a57daf3c3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
576701b802b173188ca39f768850badf

SHA1
fc00ea0f9d461275380a52c8a495bce395e86de1

SHA256
81d9285abed681f794a2984d9eb6c7af01c607ca5faf386f70b5fcc066e24b35

SHA512
a3d72604742fb3d42cff637664e02135f0aba4d738ae923c187888481e586a289d5d7ffc9c9c3c25c3c6d0641b597c559e80454e7122846cb41aaf000d700769

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f455c5523754a613ea4f433485d2481e

SHA1
f9cf28760c883df040af71aa7d16d6d9d4839a89

SHA256
08bba369229462ba4791af8cdd3499fc2f5d08727f873026595a8718d5000528

SHA512
cf24dbd8b7b8e55ab33fc3e7a7bec8c9a2b23f5f4b08aea1faa21ffda76e9be428de7b324d5e68f138c05d7a0246756107afb154a4ed8eaab0172a9d8182c9d8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3cb732c78bd9dd1d3adca0601d406a4e

SHA1
69fdbee2fbdeee158e8d48ebbce5f8c6867470e3

SHA256
3fcf2db85f2446a278b651a4433b74bb2b209ac1b10227ee0895fc5264929f4e

SHA512
7ad3391ec2f2d965c1b85756a75eb859d118808e810fff9703f6986dc5a39e334f899d36f153c95cddec990d720009ddedb6995ed5aa288190fd1ab5853fce03

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9974d8a76e8b210c5678e956f463f605

SHA1
c77616cdf96d2630dab4cb75b068bf8deec9c794

SHA256
87904c734cf643d0a0e9afbf00fa67b61951147a7bfae45250305c18ef938879

SHA512
8c068fdfe7a16ac3a935a6077da36c755ab8e4c7d8490374d54c0b555b3fecb94a6e368936b06e98fcc9120d57cc44a27ef58e92c415f77552aabee100a1d78d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6b6ac5b0e560025300cebf687c4915f0

SHA1
9b146c523bb52973a4bc251d98321c4730320295

SHA256
2e01878cb8e6550017ffb687083c89b8781e13aab06c9eb56884a75d3eddeaaf

SHA512
1a5b63bedfb6da3f3b3169ebb93d2ffb1ef0d2da2e45c5d40c020560d74486892bc7ddb6cff14a6fb4bdef63fef1d0dad0be5de75e8efea2a38fbb18e4b20546

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
11bdc849800216a43fb099e48375e209

SHA1
7fd00a1aeee980d49ab4ac3fd9a7425ab8da3271

SHA256
333cdd88a58a8e4cc6fe3d8756a1ea98560698f24ffbfa9722a32c75dfe03ef3

SHA512
8c0ab1d0e5490f6f755196879c1a3ca57819db6446cf0bcd4ffffaa46046956f0adc765d984e241fc78e57df9e24e04df5843cfc1507ecd2fc5ab02c39859138

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c3909b0905a8d72b871bfde9bd3ae0c0

SHA1
1242f1d981612be0df04910e19b7664b06a68619

SHA256
48579c4c349834664ec0039f557117d2764f7c74112847c59059db73b31cf7c5

SHA512
d067a6da52da84a51fdd354260a90ef7a8417a303cb7cbf6348be22c00810f6b034110280d084a424ce117738b1cb902f0d6aee7f7c73689d7d7258873a28bfc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4025aa8d802f5be69ae8b4ae1da591db

SHA1
8b86d4633c82bddd01c7155708fb5650b26b1fe0

SHA256
de313ca31870e6e4bb3a57b379d16868b8dfb83f821b596e0dc367d737acef1b

SHA512
7c7b67d543fd08f00ddbf1d30fd0abe6627baef06bf045f1efd81f9d444979c9545211a59891fceb71d5041b07dced3f81cb5d596eafd38950382f509e038687

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
7e08721ca514780dd376968d56f52546

SHA1
94fd56ab0c7c17a10d01f0b7ff2bffac8492cbbd

SHA256
82eee09ab9f0cf05bb9a858c51139eb6205ed78951fe0406abcf078920ea6c3b

SHA512
94a133de7a829329ffc98bc151e581604ed13f49ca534c43ca0f8bbe48217e8046fd125d669dc6143aca5e6ddd2fd135dd0967853b4ed881174da3d3949fd722

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
870af8b4d098f1d4430cfa873383b2e3

SHA1
5ff11eccc73632ce91720061b9759ce34d31d6a3

SHA256
894907ec615972a9176969cb2b8367bb8d6a7caa10903b494ec891f2f22f3c5b

SHA512
9927d6765e6da7e2aa61a5cfd7daaee4a6768cc0d89ba33ff24206d924d2bfaaf323e43c5197c6af7f635f0b25112a3609bf91a0d00f63edbd4693c3aec1c0e6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
bb9e47fbe78be1f9a906a669d8dde914

SHA1
6968c84cd39e6052cb4540dcf8bd1ebddbc308b6

SHA256
2b8579643f6572d9396aaff79298f57c197cd6720f18efb8112e794cd25a45dc

SHA512
54c3cef201dec04dfb6ca94bb1df383cdbe86248b4490fdf9294b9bf5d4173fabee419d3fdedf6d1c499f8b081e884deb7075cb368bc8e62b0f1f3e993b2ca47

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0410a66bef98571cd915d24bc9909acb

SHA1
1f365921885a16e2b2f10893a275e6785683e8da

SHA256
cc35c5f3aae3afa5193089747349431283bc47434a4b83b66c58bda804b119a8

SHA512
8e8c5a873597e37434e16d7772b0ca03732d5f3e111fe6b09cf435721536f90434117c3ab1de6aaba4b856971833eeb58dd76b46c0e942cef2eee6ac57f6308d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
edbffece12d1e8a67352118b9a57cf4d

SHA1
a974a202c0e51ac5b26ec61a9a63300c08bd83ee

SHA256
47427721b29a41bcbf17bc2434d81dd11b781a874a89c9783287eccf6c8d6b51

SHA512
cc2fc928cb5b69d3bf3feb936c6be6111da50046ade1a5841595002c08df21ab897ca4c70619af773303d1f7e075f04509a97a60939c3c3e9dfdf41ab2506f4e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
811ffc399e2ba3e5e3eb0f7344d6eb60

SHA1
9c7f65c26ccad2e4be6ec6c4efabff2a33450c6f

SHA256
f5c08e9a3441b263ca82cbc793063ada7f067f4839d8b57fe657acfb06b32362

SHA512
1eaa653f74ac47b3a3cd9fd5c07c8c7117d7701b140de88fa834923189cd29d3c1448bc0b3c2b74380d366f4e89aefb6fce28fcce824d29d05d77492a905a0e6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
b19f51424b4e7604e804018c8d67cabb

SHA1
a97777e68202ae239f8077a19a196b236505045a

SHA256
c1b2eefbdec9cb7af33890ac2b4d85d64af003ead0f9ccdc7089c0124b0a98ab

SHA512
4a0a096fd5652cbc848b739098fd3133434d98b9f13c45397200e3b422d0b81024d7ed13e8f23b91fa7d36c671f5e86a191ec0f89b642a7bbac261796e2d48d0

Download Submit
memory/116-593-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/116-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/672-590-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/672-189-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1060-187-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1132-592-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1132-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1624-99-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1624-1-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/1624-0-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1624-432-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1624-8-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/1752-589-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1752-186-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1960-596-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1960-257-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1968-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1968-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2068-214-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2068-49-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2068-55-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2068-48-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2320-185-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3500-391-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3500-123-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3668-149-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3768-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3768-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3768-111-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3768-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3768-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3960-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3960-562-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4160-112-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4448-261-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4448-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4592-150-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4608-89-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4608-100-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4724-83-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-84-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4724-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-43-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4724-37-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4820-184-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4820-26-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4820-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4820-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4996-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4996-70-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4996-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4996-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4996-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5040-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5040-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5040-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5040-226-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download