76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
Size

1.2MB
MD5

000275b32a155fbc8a60c0d2928af73d
SHA1

48381350b7646331c7a2010b439497138a01880b
SHA256

274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a
SHA512

99c789dcf6e0b96ead044e053167ab1448805886e382592e4de894df0836ccf78d8c10db1350db49e7b96f879a4b80202b58387d7a20922a10e423afeb1844b5
SSDEEP

12288:y3iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:yD/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1756	alg.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
2728	fxssvc.exe
2304	elevation_service.exe
4060	elevation_service.exe
3164	maintenanceservice.exe
2800	msdtc.exe
2592	OSE.EXE
2068	PerceptionSimulationService.exe
1236	perfhost.exe
2044	locator.exe
1056	SensorDataService.exe
2136	snmptrap.exe
908	spectrum.exe
4880	ssh-agent.exe
4396	TieringEngineService.exe
1776	AgentService.exe
4388	vds.exe
1704	vssvc.exe
4812	wbengine.exe
2876	WmiApSrv.exe
4524	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef4014c3c1221773.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\locator.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\System32\vds.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eff803a26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000162a32a16055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091521aa16055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bef622a26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1180	DiagnosticsHub.StandardCollector.Service.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
2304	elevation_service.exe
2304	elevation_service.exe
2304	elevation_service.exe
2304	elevation_service.exe
2304	elevation_service.exe
2304	elevation_service.exe
2304	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3236	274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
Token: SeAuditPrivilege	2728	fxssvc.exe
Token: SeRestorePrivilege	4396	TieringEngineService.exe
Token: SeManageVolumePrivilege	4396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1776	AgentService.exe
Token: SeBackupPrivilege	1704	vssvc.exe
Token: SeRestorePrivilege	1704	vssvc.exe
Token: SeAuditPrivilege	1704	vssvc.exe
Token: SeBackupPrivilege	4812	wbengine.exe
Token: SeRestorePrivilege	4812	wbengine.exe
Token: SeSecurityPrivilege	4812	wbengine.exe
Token: 33	4524	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4524	SearchIndexer.exe
Token: SeDebugPrivilege	1180	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2304	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 3620	4524	SearchIndexer.exe	108
PID 4524 wrote to memory of 3620	4524	SearchIndexer.exe	108
PID 4524 wrote to memory of 2200	4524	SearchIndexer.exe	109
PID 4524 wrote to memory of 2200	4524	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe
"C:\Users\Admin\AppData\Local\Temp\274b00e3840b0b29a021e2a1a36bdc78829dfdfe2e4010ea494db6ae4276692a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2800

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
06c086c56dd8505dd1bf4ade4c49c29d

SHA1
708a81e2093a80ab687efd9e13e8d189006252d1

SHA256
82e022dedea04c2e31bf1664cf7c106eedef684bcc2da9a360975840b1928438

SHA512
c1dde124ed33d0e569ec087ac3daf8009a6c2ac8c92d5b3ad52500d05f07b134b8da56e9b5809c67754b9265298512820dcb543e4bd4340e7f4ab0174d0bd2e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
92df50b8aded403ff3696967945dfe46

SHA1
cea82e25d380967d27f89c784c93a3a401fbcded

SHA256
6fd3a76aa401bd5aaa9cf563d02830c40da57dbd9d4b20c9e6b008ae22399f6b

SHA512
5c1c762cfd2545365e47ab25c37d4fb01e286d9d211b66885eab821303280bc66019e7e48ba3351515d9b623709d6c1fcc63b93d427c4d50788de37a542887cd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
9721d6e9da85dbc5e2fbd456df8cb6de

SHA1
6da3b93cbcab29c3919cb849ff54c9dff203a50a

SHA256
f88a65bf559d32ee5eee16f9e609771d6d39e29e247f70b422e2ee9c096b8fdb

SHA512
fe1d1f0fb15835369e71074494dc4853a53bf325a467d504864eabba41cbf42bb09660b97f1323f997a5d83a9aa1c2359e7fefa3a630ed8347d588a69f5b3db4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d20a0e6ae61f1090817b2a3b95feb2eb

SHA1
be199a3023f56a01be517776a9e94b13dcd1e72d

SHA256
eb1edbd843f94f80b1ae5444d437246671a7fed3990f5c1aa01c9f2fe3bde1eb

SHA512
c767f1baf8d33d339d0276fbf9fe333b5f80f241ec200e2aadf054ce5349e2b00e65b69513d366d02cee14ed695afa17f187c03de1fc96e32240bb5febb7d348

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
95ee5de11f19ed6aefc8a923e49b1203

SHA1
8f5e26e86525f49638c7b02afa66e1f3fbe5214e

SHA256
438101cd6868453bbd89be1f3e975376053f36784859fc79217636024e3d82e6

SHA512
f43f5c2fe90eccd460e32171944dca717d64a872ca810c7ac9f0567aaeab087a5c45fba7435f51f96dbda1f3837c1795b40384f9816c77d4502dc8950ab49d76

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1f7aad039c6f0308c552e350b94c6be6

SHA1
252cb2038d324f6b485b08b48f12289f06f6b6e0

SHA256
7e331ebfa326b3b57dd875e14dad66f33311c51cc070d4a2fd0996b7628b27b1

SHA512
c86eaa5139b2ace08093993207a236c0f79e4d2afbf5c78ebf115df1076087134bd01f25e0c2581e5df06c524a0b87d514f08811c5926d92cc6df6cdf332664d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
e0f3812997346b033bf49f4fecc09f38

SHA1
aacb1a4c940d4a55619a9b88195c414b999af2b1

SHA256
86e70260e7767c4027d9480803ecb03c7880aae84e8f60e420d3cae4f95d4b80

SHA512
a6353b51a5140be4e454eee79f778ab4b3842a801b2f113e8f42045b661d566de43e3648e3b7cec59666bad0021137a073aaf09892b262b2ca2856a8e0b693d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c4cccd794cdd7aa5788332cfb3a78648

SHA1
41ca3e564f3cbc7c26ca4feb60b51ee0f55e5958

SHA256
9cff9ec105664f28cbe8ea5b40b0f87174b548975ec77ec275c5f82e78642ff3

SHA512
34e07503191af168931a2f0e510ddad3ddbf0b757fd2989506f4173eb6a3417f4c472a8a48211459eb98ddb562e1e2c1e550631efe6a015d8dcc8ebdc598672d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
c9e73a50c18996f54d9b3e1114707f33

SHA1
c1517d60b9897301a7ee03d01b5f4672e88012eb

SHA256
88a7050213230390cfa84a67434bfaf04d097f45f6ff3df5b43e8a7874e0ab9b

SHA512
ca692583676aa637038c59ca8717b70a0d0d4d7e6dc8546422233459996ecc4d40d43866b4e6da27fb8ca8828b6993be90848392b1b51c34e54747408bab5b7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4d0d86e9cc04f69fd63dbd31b1a1d0e7

SHA1
091ef7e998ca1d3f5cc69c90a78adb65e1fbd399

SHA256
cae52d646c479f1536db34e42ca6c6f61ec154733baaee3e1f707d5d825ea8f7

SHA512
4d8783b810460a9ca839f38f3e699f79586cab61979d48ee149e43e8ced2dd0df6064166b81c400926f013201545cd153e2c034f3ea881843cd0db85b1512858

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8871683db38dcf3a68598e8005722be1

SHA1
67f346d4ad1f646f88357f74aaefd10d29cfc950

SHA256
5424844b1061798b06a5d27dc2a33630b6d7c00549678eb94a96f7bba5e2de4a

SHA512
b2018520b0a8ea8121f3beefff24ca737306be153c7b9ab13f0227446e5a36b1cd51d85a9f7977e9d54147e7ba5ba079dd9c0759cbea106767925db718eba3cf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5d89bc820f516d3f9b93b4fc7e0d6a09

SHA1
6b951195bcb23d10a41cdc961f4d9cbed406b54a

SHA256
1519c259a48c4a03e4055f10e6a33519861ccbdb119636d1ee224dc7e1f51201

SHA512
44f046028d0a1ef95cc06e3b1aeb26f32f1a89b490d4f4f1600c609676e1225bd4722d17917bd590214e139c9e2fa69c77fe24e233de9046d1ce6659d986164e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
17be34bde8a088f90187b2cbfe341e7c

SHA1
2bee2e1c2a16116cf522a2555a067757b23b8609

SHA256
549c01f89486c19950cd84bf0d3769d5e9a454102865324cb17f3ecd608a9da9

SHA512
428d5ea0d5ed999a43af4ddf807966eb087449ba17872c1f7f6b52ac8fe58ad3be06da51fc764194b4f26afd530cfff7bdbbd1facbdc527ccf64d67315e7963d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
373405cb2476876c75345fab035a4490

SHA1
57b6eca937d25a994340840806f7b94ffdf000fa

SHA256
2d1115af374bcfb94b354fa6aa69adbf63d7b3e87444543019d2e2cf7eadc577

SHA512
b06e3494f45b8fcdcca8c96b55cd3f398a067b5d4eb0d22d8962a36852589da0053dd686cf8251760fd4f53f2ac1d9b3e0df23d8c777bf8a98924d0c457879d0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1a30467c4972ff90a4421d001da99d20

SHA1
1716abfd3614ba6c25c3707795d786f6fc877ee0

SHA256
99436703255778e486c703aeb58647cc0ee0a22c6e9afb2462ecf6c82ecdf03d

SHA512
b1f4e9847b35cccdb70bf8567280b4a6fc30acfc57ff4a0620a3e023343741f9af9fc67aa9d7ede690f837b51a3936c23c2e91c2b0027ecdbead19f18583f809

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
7e9e498b3d75dbfba537b0c780c88630

SHA1
3c775f6dcc1bf3cc7b081230f9b717f96c1681f8

SHA256
1c82edf26dfcf17bd3b660f447a4dc5d7fe17cb35dec9f747e1000deeffcea94

SHA512
8d5a64d4327a6ff4418f988809b979493768d9dab52949da6251470f45b4410304c431f820bd2eb7580738186a9c667ac13a7291c686d66cbdca0b57ab7276e9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
758e65a66ad9903c977eff856cfffac4

SHA1
661e542104fc19273cdad2544723f61e327ac73c

SHA256
30c460382d33faadbbdf1f4a363951b4db5231540812c99c02dd283f67df8097

SHA512
69d0693fdcf440c543e094d9366617aa1309325f5457630e5f049bce7259c902d2043bd5d7f30fe443e26cad827aa0da9ab798f08048976bb4a1a79db238baf6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e6bf4c1ff00a90fa64fcc9924b15ffaf

SHA1
177c0e1f7474cc78875f37ab3a2658e6973b9afb

SHA256
71e42fb66301c849f4c9c76d47b6fdf37102d25f11002f1215cc624bbea2799f

SHA512
ae8a3a2946139c939f3f2b8790c0672c4472d67983b0dbe61b3bdb94f1e476be681fb4aa584fb1b8919cdbf65306877ec3e78ccd9fa77b88cb055ad30f7ed5a9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
6a769a5cc7a1fdd29712303860793614

SHA1
aaca1adb29b3e7650f4352fa24b79d271fc437a8

SHA256
7ad17a284f98d4e898e33f1c12edaf4d156437807c37d7f2943dd80dad6b6b80

SHA512
e1fe3345fddd55736f4c4bee4edd6c3101546779c2b71fd5655f6c66453806d62fd70fd1ff3c21a24615d201227da3f737c4b39a2725311d602d188021c64241

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
07c8283eda3faab7359eb1de2c6d6b08

SHA1
a8be98154b724c3a3b01bf517d4c0dc44b1d9d06

SHA256
18fb3847bc9b104cacfbd368f6c65371affbdc4a407b7ee57807d66f5f71fbba

SHA512
9839e1c09158da45b735744862c94d1e632701bc7801ad2aea536cfc6c950a918b4083518ec23ed9f29e6f71ab165f472a117565990d37576a4bedcd542f1372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a4a01405d7d94e784c017bca39784316

SHA1
9a5829f164b82cb8ae182b8d0086f377c2870167

SHA256
013273fedbc99361720421db26398d0ea605451bf9fd15016050128d9e937436

SHA512
9df8d122ad6e2b9315c5fd91624403959731d764f2eaf02f712978b2647020c174729c996e248a04e20b13ffa2e5227c3cbf399dcfcda1de9ab4176aed28aa07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c9b083416cc8746b6356f69771752f89

SHA1
00ab12cdb649ebc30a8a0a346fabba015d497252

SHA256
1045d7369e49e7ec2e243eafbf7032982e4dcaa1601e2303567be28a889191da

SHA512
65db566d87035af1fd16da71296d5d112410377252ad2c9a23eb2c280f84b0949a6c8511475a61ec035f09e2e403c3ddde60fa4057b38820114d67a1b88f9d52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e89f3d313ce4bae00d8964b2141efd36

SHA1
2dc0f20024d4734f9dc681e2382c3a7eb09bae6c

SHA256
7b683783bbbe6fd1cae9e0fa95ff4e6be86b0cf2c7f935f380775e9c77cdde07

SHA512
0f1ea2e767f046a525f68763e649895dc4b1ad06e3a3036484308a21c5057eb5864ce7383e104964733a8943e36d59bfcebfe9f50d09e465f98da926a35a572a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
b8ec801507aeb57286bb85eef9e01294

SHA1
a2069ebe3bb4ce7e28db165e2c847ad649947f05

SHA256
3df8cb64e97c809594bbf555ac937aa4a4bf1262e5bf5a9d38f41b1b4384c0c8

SHA512
f511627d0cf2e05edaa8be2620993c49373831a57f6612327687198c08dabe4a50d71a44e4a89d227592dad86fd953a32194cd18500de0a2a61dc11cf563abd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e2aa30df711ae5292dd92dc736785b5d

SHA1
eff6b2c562188147ff2e6d57ae4d65803ad23a5a

SHA256
019c58bad9861f646907eb6fd42da3f1cc65904ff07b959d59d8ad8bb59c0bc8

SHA512
0bac7d3da9c62a6d30f446963ce02b5468c6d3a1171a62a4b93dee1e1c87482c7efa4a119f0ab19ec6909242c84869be12c46f9969ebdb62411e7e86a1bcbb8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
59882e4bc610b69178b438848388c71f

SHA1
36e0e3a25c61fdc3f981cdfad5317ee58d418248

SHA256
9c79f5d69326d0d64ff8480356aa8d32eab21d9b3768e02aaa75288acc719864

SHA512
3915849c654a7be19c09fad3320f57bef3aa111cb0938c97dc46156d8d67479f3f0a61b06a83a776cd40707632fdf0ea86cc067cf82be190a1d155414f900264

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8725e19257ddbdcfd3df30b459fd58d5

SHA1
37b2e752aa1388474bc178780e7d441bd761bbc6

SHA256
105de3f2593414f57241c431e623ddb0ead73cfdf58ed79b8b7d5716ceb5db02

SHA512
c10276e54447226eb4802051137e2d59239d8c460b53c082fe53ed8d70c45dd86044d36eb1c3f3324d5071a657bbe09ef3331cbb9af0d306f707d3c08b0a99d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
79985ee55cde13684c560da8922ab787

SHA1
6b9919671b58c02814518f7a519c698dfe539ae4

SHA256
5f1bd3f77861bad2a404ebbeec4ffb5d9619dc1aff807e6f719544ce4d056dac

SHA512
8fb35b0047de0ccb8fe6074d6479912644118e05745dd9334a1e7830764778538bf7eb11f291e3da64d7c2766cf575ac36034772fd15e2d9051bec143014957f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
65edbbfe86a71975d39a3980f71e53c2

SHA1
9e5c094467102e3752960c64877160b48e7b8675

SHA256
db82a07ca8dbc4801347510dec4445d2884fb095f3a24cae345ad51d693c840c

SHA512
f6d0faf64fb3909d68035be54f277bc96baa18951880b80b7ade4be4810e3cec9f30a4454ee6e76b90b9fcc386ada1660dc5086df5a2f2c73afbc32c8750720d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
98121d7d8bc714853f24adbd7788e0d5

SHA1
935c1e5d2aeb491c5cb51a934eca8d7756ea8776

SHA256
5d4b737fc45d948d016b2f86c1c1f3487ac6961f1807739b67e9dcee7fcca047

SHA512
d2649af0a7c75e1a4e3953bad93b254ab2b1a22346481a12ad916b6f8893b8462a5219947548ba2d924da4f5fcb68ce91ae1e40ad354600bd4b48db99e04c43a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
7ccd9449502f57fe7bf9d9efd7a04b45

SHA1
c9568aedaffbee50d99d12ad7b26c50128087308

SHA256
cc591f61ec666f4852db7d0f539b26a67305852d32ddad0605652113f26bd7fb

SHA512
269967f679fd7145c53da8f1c8ccf69890bae45d752dd2a8b4e577ffddb7df2c2038fa463d87a671feb808c4c05731e7dd310e151a03cdc7e887ef4222066341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b1da08cfbed0b8258f64f6802349d369

SHA1
3190ffd1ef5d113f113937d85cddd12d6bf206c0

SHA256
14c4c655159dafbd73c6eace891b799e9d4e58d699c73b98a4489d799fca3214

SHA512
ad2c2483ff3e3dfc03c10deb15b988e3b8af5f46eae2c10f7329e5dcfc779d41587a273a2b85f624a3e185e82ac7813a41b65f208b5ae0e1efed4f858c0ae814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6e838e65f8f25fae97d42bc199580ca8

SHA1
f6896c85d35fdca8307b64053ed9b3f28425fdca

SHA256
550f08230c64f206c9ea08f92cc1e16d3d0831242f4afbc7d17c257495b6d97c

SHA512
d4946fe897c9b377a34d760c4f8361d0a8f54a2c270575681e0d492c241ddcb116d27576d90993fcb42abf69db44e6ddc52fed0aed05085f031670effc0b7c89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
1b6422372bb1ad61ba3170b4af83886a

SHA1
b3fc3ef70550eb09be6f9d74a3c42fbda850e08f

SHA256
7db537143eb37762e0509f5ac214c8a3a2cdf38ed60a2d32428adff8f9fe97ea

SHA512
fb8248bae26280db9abc649ad508ad3e8a9ffbb9ce5db9ec376c42202af80cf925e7c144a04c835f4d747b5ec378fc6443759b0d9fcc35a8d2214fc845f76d78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
715c7316ef5437ab01dc15b6caec154e

SHA1
5b9cd89b1d58df16550336cfc94bddaf256728e5

SHA256
4187179b589496e6953a225c4ca4b7687af086c8ddaea86d52e17ea64f0929c1

SHA512
e77d2c5de18e121c74568332e7f4ae0dfbf758221402e757a5b8df461e6dc3e8b9d87d34e9ec2a88c33d504e56bda86f47402a4ca8fb40aefdb770c1330a315f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
cb8363d363824f82654a63e9ec736b6f

SHA1
4c161c624c9039ad441693be961aca2c58bf39d1

SHA256
4577831fa5d9cd93b77aa26a991e8a9c504c6386b1cca6cda78a977ecc24807c

SHA512
5710c9e179ab285f5c3ca4b9e503fe13f38d307318f6a909521ce3deebf58930b545c983f51ca12688b2d524f89fd23706f02b41bc5862323e5e6100c63042d7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d7aa91c1687bcb7f2b3c093161d3774e

SHA1
7d2f9fcd5872422ae057650141d5e7f0353b455f

SHA256
45828b105978cf1b9cab86399a7af8d0a3d232b5195385f7e9b04ba216195362

SHA512
c8e02a1aa52d5072c7a38eef9e45dba160e3504998ee48c7ad641b9766478543a60b909972807311a6e419a21cdb08653074189c72f37d28ef087c0a2cc274d1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
61edf0e3c16105c8667662b802597d75

SHA1
72d0768b1b8eecae633f380f4eb09992b66aae5d

SHA256
6423829855813f201c0b7b05ed0b90c471eabad9a08a55c9702a78e56ad14977

SHA512
566eb93f9d4fbdee26b77bfa6fb6885e5cea69e396114f3c6af030808621bdeb23424883af63b6f2bb48e8fcfa1e91e3e098cfd95e596e30c5d49ad369b745ac

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ff7fee0e87649586c9698a733d044aac

SHA1
2195c70a36d52084d9a6a46f2dca8ed8b1416420

SHA256
71af8cf579e3e581fd75452d3797eb0b08fd38650c63544faaf7311085b9848e

SHA512
1c27f203279f5fac632d8384a1bf96bc7e61139618a3cb3c19a036794d39b3c9531064e556f6cab8e930706682a7d4f9424a29b3e3f2e563a1c1c66145780433

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
37d28d7a9a49a410856d357567383347

SHA1
0224acdd96cf46619aa9451b992095926d6e2a7b

SHA256
403809a576cb6fa9ff308bf830fabc69319f3e3ff6e0dc0167519e2bddba96c2

SHA512
3a19c4627f8d4e7085725577495ebd80bbd2ff96a7fc5c237fdb9567122f0047866cf268b2bb7998a696f79ab952c30b6092778911f9122931d8bc7b0fdc0a5c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9d77469653f3e8151f70b099c3223788

SHA1
06e828758e985fee2d4bb8c19f166f6bc068b20a

SHA256
a67d1592b36fd8c3313e8d7b63bc3cee9df8a7b04e427db2e614725daf9086a8

SHA512
6800cbdfef4e1bb065b5df415cfcaf28c5fda972720d441080c0b45dd5e59d1cbd4ff6ad4b4c16f8ea5fccf7f2ca1e32ca6b8df84bf87edd584b3ade8cf8ca5f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fd085b5868132a1954d0346249562605

SHA1
19b537de920ed612d345598598cfc9a9f1da43a2

SHA256
f19ae8151e2b14d8ac554932c54720b59cecdfb6da7f4447364666ab78243ccd

SHA512
9836d5062f615bf1d10532438300b46a0c19e9bb5caac6445d824d66933f9f1441230504a31c04013dca89470dad3148b304daebb41db624acbfb0b3db2b5b65

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
255fb4e1120d32b8c2e88d33c2863b5b

SHA1
22b352c3cfea7ccd0834a698b0a7db6e20bdd75d

SHA256
8d2e649722547a07fcd72dd50ce414bca46b169b737b0cab05408d60fb55686c

SHA512
7123c1f6d154e762d021de80e13fc2e2328fe24bd48a8d14f7bbabfbfe8882604465dde0edee451764c66c1dd162937cf9ea447d598aa53cc0b115c9ea612c78

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5cf17eaddae0137ab601ea004eb8eba0

SHA1
7fe98bcf8002b3561821d627018525f790adf5f2

SHA256
7549e750c41c2c1ebbf18599c624487e27493309eb731dc40866201a4f017823

SHA512
4d48bf8c136fe967a8dffec10dd401a9ff1064e13f91f27fd89fe1d945906045569b4dab10dbf1c3b9937906121e69ad77398c99d0d790ab237a31e805aed132

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
decb63b8bd89e18f98accc73580a18be

SHA1
815bfa8dd3855895ba9ff6072b9a74583f99dbe0

SHA256
c8a33fae1fc22d3e76663c2c60d30715f805dc410f87a9b9b735d5c5640843d7

SHA512
ebc96b37dfb71c81c546be270208500a23446d1524bb5d80f0b5324335b0399efa553af059391ca05a8fe6d3305b984c271edc814b8c97bb621c8d043c91a1e7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
085fda561a0ebeab9020fe598b457309

SHA1
f8d22a5c6b7c91deb94b8246dc552a15653e9da6

SHA256
bdd036141edf8a8a0927b28398272376fc9c30c341d237d32cbc36b6489b0014

SHA512
74ac29c781b28bef93baf1fb3790dbd417723ed100d878761f2347659fe676b1008b44dcde4c1d477ea4f275ec791f7b5c29d34e680239442901bf632baf5548

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f0a967c4e52284a2435b7358572348aa

SHA1
5c88abde9aa0b49052082828b521d63fe56bf8c7

SHA256
a12c0ab83a849ebfef88c7dd7e713d7ca4d5851e4043a032e580fc4d5dbb3c0c

SHA512
9bb3bfd953e1827fca6539836d3b146b87ab571484da18490504737948e68208ab228c70de08ce7061bf6500eddcefc1565acf39c233958ad930c3a92d12ed53

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3c5dc8c43496fab628a64c8d23e80bc2

SHA1
59c77dbe13496580806b1e077ad5599499c2b27b

SHA256
e513933b50045909d5d5227eeee0bd4fd4add25bc894212add1a23ab02fb78d6

SHA512
b9e51fbf755a1cf78c92e323636fc4ec28060690bb7269dd87b6ff45cf7a760f63cf1ced42a1d35775fa10293ce208b924bdc62aa9cb2db7ed317b4d3be336a7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
aa0c7d0d29e7a0099c109da52fe8d42d

SHA1
068779c9232d8feb37e1554fea0e80693214272e

SHA256
141336093aff68cc2a96f9b830a7a2af61c126c2edfa33cd8129aed26365a776

SHA512
a2322fcfe213189c4eae5e4d0019a7396a9374cf49701c816bf3574acc7caca2478740cc2d1aae14441cb12198429cf5f717724a6e2aef249e883120bead7abc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3a70a00818ceb16542de799964ec9acd

SHA1
0097b477a04399c054fd1a7b1003a9ff549a4d7c

SHA256
963bb264ad1534fad99b28fe900e74040d0505dbd7f0864842e8ab98d5ffc21c

SHA512
3f172adc7093852a2e0e9396bf4102d70612f669524c5965c48a043ab9193e2132ece92a05e7f68dec3f1367c41036362edadeedfb647d03f5382bfe1efdf12f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
702d56e09d1fe83fd3aad1c9999c58bd

SHA1
999256366d0f0446daf15ae1ba920102a69343cb

SHA256
59bcebd5b75e95fd07f65c87b8aa5d81291cea7901fa73a1c846be768d25532b

SHA512
08fe2c75f516d03fb03b69ef3c2d827c30c19697bfac123c96bd627a59d847dc4f1964dc06a13fb486536c0009b20668060aa84c805c79ebd7cf4d3501545663

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
809d393145aff269a294063b140ae9a7

SHA1
afad62f7260f3177792bed1f165e4cc4a5d002d1

SHA256
9100c7e56b9abca99997fac0effd340ea67760b75175d10f008a59e8a2ba776a

SHA512
ebfa19847b79d01f2b5b56d28836613af368f83a742b77406a85a514afe2013aac54affe87376126aa7f53be35d03978f5bef2c7e6c12ecba4069ae12efd9588

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
655e759f2507222d24394a6d4f524861

SHA1
970b69a338163472c425dc6e098bb6924d819a36

SHA256
bd47b61f91686b40a6f89c46dacf4a10a1c117564367ed589856b8dd61a53a2c

SHA512
df10b52202e8edee82824a6eef91f65a2df45ac15bff91cfd0fda674c8ab8452afef27be26a450ccfe23eea74a0ad843aa1c4e443f075ca7ade449fef79c17af

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b1914658846cbba8502533f0379869b

SHA1
972d3b9e0651a4dba1d289f57c06d5d0fa45e2b9

SHA256
8fa832e33616c5ccbf43ffc582d7185581d11e2e2bae2776eda60404f72dffb3

SHA512
539549972709efa8b1a8a84210ae8daf4ab214c91870ef19511f842224a6efbe921c12f93ef58bb430dfb261b3dc9fe01d837c000a73fc618c9a540dcc400d1d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f38c319b9208fa14da1564e2a9effe26

SHA1
f429886d2f0c89e4e48cebfc77c0b90e6ca93e8f

SHA256
5b4932df02d155adac544eb7d6af7b208bcbdf704b0577235316300073d24be0

SHA512
5e72514c02c6ec9ecdc208590c5e31116bc660eb666ba9510412d9cbf41fac180e6f94614a59ac71e82b4f5ff766592462c3fdc3332ec68f3f7b369dc3189f52

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4f00638390bbe2b1192340d3c6d8673e

SHA1
52da6ac7081e78243bc0204e86489b2931af3e81

SHA256
e9d35c1e065b67e1884d15e595278c1dd767332adccecdb739e4d9a080eb432e

SHA512
8f0a349c23707c460a0660d0d015df6d92fae440270493ce13016fc597f1d4690def794e17837238ccf1662855d22ab1e549f2e1f6ff1931762da6e2cc982424

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
07f3e87e28b385a35c7b55c78cdc136c

SHA1
221ca67622b4315ee3c3cdc13737e39a8fc8694e

SHA256
4ecad5ac9d59f87485bc72444e7334c40f17cf40fda6b59b67b238683f27041b

SHA512
e06962f52f825846ccc25942837356b50784ed83a924fd6b84804c24027175535d13e638cd1e905cf24af77d0a531603edc2dc1e3d6e1b80a30f376b8599f7fc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2112ae2d1be3eb7b2603c75a2d425658

SHA1
3374f0716c5a1a68377b77768cf61dd96ba27285

SHA256
e9da4f906fade03874889119bad2e11db0066d15328fadd6e5c4c507f78e0d6d

SHA512
89778e5574f9d53149d92d7b05639b66aceb6a0f7e63593158ec1209533d5d98b2373bf648a79dd07ee95f9ebc0a25a5da4f578db0e19218be4cfbff831c6d38

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
da1bd3e2ac4dc8f1942d4aea675533d3

SHA1
2bbbb63272a49c1b49fedc9024a8f2c4357bbc21

SHA256
6f14242c382372fa266e7c411f3fd1a02165bf5a3ad5120bf783783cc2f724ae

SHA512
6e08fe63bad6b696f278791c146a471f0743b00f4e1448963ff2d64630caf5f5e4cdb51d01b48b54d67b424d73fdbefa76f3870ea71f3a108e3bb90860f28b64

Download Submit
memory/908-125-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/908-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1056-517-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1056-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1056-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1180-107-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1180-21-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1180-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1180-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1236-159-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1236-105-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1236-100-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1236-110-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1704-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1704-515-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1756-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1756-99-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1776-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1776-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2044-166-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2044-111-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2068-88-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/2068-158-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2068-96-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2068-94-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/2136-262-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2136-119-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2304-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2304-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2304-39-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2304-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2592-81-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2592-154-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2592-74-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2728-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2728-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2800-149-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2800-69-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2876-518-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2876-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3164-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3164-66-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3164-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3164-54-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3164-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3236-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3236-73-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3236-1-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download
memory/3236-6-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download
memory/3236-527-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4060-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4060-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4060-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4060-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4388-514-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4388-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4396-433-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4396-146-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4524-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4524-520-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4812-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4812-516-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4880-143-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4880-397-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download