52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
Size

1.6MB
MD5

5a11fb5b1629953f5596afa597206766
SHA1

cec4013f6f92da0be219016190b2929015a7b913
SHA256

72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698
SHA512

c3f3e32bf8e3c5965af914c5119561bab58cd06464fc84ad4e42aed1d1d6df591b5fbfec9517f30c0c1212ebaae866ef07c31f19d495dcb02849c5c2d5a86a6e
SSDEEP

49152:3eGRE7Oseh/izLHkJErZI79LNiXicJFFRGNzj3:vWOs8MD3C7wRGpj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3500	alg.exe
4132	DiagnosticsHub.StandardCollector.Service.exe
4748	fxssvc.exe
3668	elevation_service.exe
3124	elevation_service.exe
1880	maintenanceservice.exe
5028	msdtc.exe
4520	OSE.EXE
4824	PerceptionSimulationService.exe
4976	perfhost.exe
2736	locator.exe
2824	SensorDataService.exe
1992	snmptrap.exe
2468	spectrum.exe
1476	ssh-agent.exe
2224	TieringEngineService.exe
1576	AgentService.exe
3444	vds.exe
4172	vssvc.exe
4352	wbengine.exe
1988	WmiApSrv.exe
3944	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\System32\vds.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\wbengine.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\AgentService.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\spectrum.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\vssvc.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\904508dcad6a2b9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\System32\alg.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\javaw.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009debc7067d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067c863067d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000773ab7067d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072807f077d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000077974067d55db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4132	DiagnosticsHub.StandardCollector.Service.exe
4132	DiagnosticsHub.StandardCollector.Service.exe
4132	DiagnosticsHub.StandardCollector.Service.exe
4132	DiagnosticsHub.StandardCollector.Service.exe
4132	DiagnosticsHub.StandardCollector.Service.exe
4132	DiagnosticsHub.StandardCollector.Service.exe
4132	DiagnosticsHub.StandardCollector.Service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3268	72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
Token: SeAuditPrivilege	4748	fxssvc.exe
Token: SeRestorePrivilege	2224	TieringEngineService.exe
Token: SeManageVolumePrivilege	2224	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1576	AgentService.exe
Token: SeBackupPrivilege	4172	vssvc.exe
Token: SeRestorePrivilege	4172	vssvc.exe
Token: SeAuditPrivilege	4172	vssvc.exe
Token: SeBackupPrivilege	4352	wbengine.exe
Token: SeRestorePrivilege	4352	wbengine.exe
Token: SeSecurityPrivilege	4352	wbengine.exe
Token: 33	3944	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeDebugPrivilege	4132	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3668	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3996	3944	SearchIndexer.exe	107
PID 3944 wrote to memory of 3996	3944	SearchIndexer.exe	107
PID 3944 wrote to memory of 2620	3944	SearchIndexer.exe	108
PID 3944 wrote to memory of 2620	3944	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe
"C:\Users\Admin\AppData\Local\Temp\72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4200

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2824

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
617f01e128ae1e86209cc1cd4d711a0a

SHA1
5e0afc3582c015d45f240e94c5492f7ddceaad7f

SHA256
44b3572ecb9c3bff87bc810fdd117f1cb5ea43d0f3c1b9435f908572a5b334ee

SHA512
b10b9c521c933eb0137ae3d98debca5fadff08b3802559a0cdceb6da29cc91c042ecb4bf9d0fa8476842081285a535e73fac29e585fbede3c7a2a59f634670fc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d079e730fc1604dc8af8fcc8a2ac8572

SHA1
baf58a42f409b5c930a863bdf2b36c750f21fe31

SHA256
80e4e40d3853a9dc9170813121739caf6c8fb275e1ecd9327da26704adebd469

SHA512
ab9c8d82fc2f575f470e25f8f964cdfb60666eb166dad4f7674f79ec2e79aa16f21635ad477f836600d3a6a5dc84fa2689f98b16618795ef9d17e531bdb7bd16

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
34047161b39d68ef98ed15dfb805e41c

SHA1
5b93fc9ddc957f5d24614d4015201d6267bd9409

SHA256
47d770655e5255997d796a894ebced4d82006512c29d22538db91a3d1e361093

SHA512
92b0166404becec19a9ecc85cbdf80758018a7465c035e97f64d8eeb3655590d889235d5244a4d6e377a7cb581787bb16ae6cd01ab5a85c0d22dea9ba1100bd7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
169a5eb55a09e90c519ffde41d997619

SHA1
aa0e552b6114f92c63cfe65c37cecc8d2fe8f480

SHA256
34c536b5e6f8b78090bca984f6eaa84c9768429d112cd0762dd1c95f1723f836

SHA512
77ac20f3da38c29b179a4bb99ead3ee239a681aefbaeda5c247b42b81118fcc256469d50f373ae8027c3e633153921e5498e3d5d271ae6b681f14caeb2b49b8f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
08a40879224c02787c569e7651da42f5

SHA1
0047804a28e8211720e1dad987d51d4267a4c1ca

SHA256
0214a0a5cb2ad93633074d016047b60c4d79675b4c728d2d749780b9a5809710

SHA512
409539d41a24dabb20d51471bf5dcddd2ed3aa26c3768682431c103eea9ae495cedbd8b5656437f62cc73582787ede0459b30b522b068b3bcbb71c1a8138bd2e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1ab27c6edccb2d473616f38eb4e2586a

SHA1
2e0817c13bffb65491f722c514f840769a24293e

SHA256
eff0f7a05009fe63d9716abc510ea4505b133931a8c72b35ea38b7783c16be18

SHA512
106758826d2d3f9901a4abc5aecd8df5440846c7f356d041f3d7f71d29e2ef8667e6b573ad33687c4dc145cf65f465d4c8ba41910657d71a7d2e29a19a7fe04c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
e7ac0057bd38c773b31cc61ce29c24ca

SHA1
eab6445e5c762a4648cb673c64c7e370d7d30b9d

SHA256
64a23b62e6ccae75070603c8bbf6fb531fb9df5cd12cd5e65e11e2a7aad4c212

SHA512
31aee71b9f35f8861e8a97333e0797659f2c9b57b5d5142c3faeb2b4f89f1300e92a78bff6ba43a111e401815b79613b719614322f8a8fb94d47b4c23269836c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ac19d70b7eedaa31bf55dba443cbf649

SHA1
1932fba50aed000e3afda18a83b8182cf7be11fd

SHA256
7aa4ff423810969e962b2b2603cf71f99d06153ab34531756f2ebd370a065ba7

SHA512
1764d30fa565ee5e08421b9a8c3ca5e04ec50430a8976110a69116dd85f9bbe64c7793cce6f89195dfa0234cc40af74e0cb166705225d702287c540701ec6987

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
2a9e309fd76db10403693a087e1a696a

SHA1
245e26d9813f98637260154510449b78ceb05800

SHA256
20fce6574e40b10b0a69d93a208bfba785454b92bacf1df778f6157c777e30c3

SHA512
c50f3fe254f82518e6cd233f2e8fb7a41334c96cb9fed4ecdc2997777dcb837045e165bebb84b5c43c004b18dd606d06cac0e47f69e787c4842310882cae6f69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7c639d4cf1b45e2d5aaa196307bdf455

SHA1
7ec63694e1c36907e5263313725dd7b8625958a9

SHA256
329d2309fe5b832f019ed62fd52721dcc9e254b6e05664dee0080ee26b3ca1ab

SHA512
2e61eb1c93947317682d3ba1449c8da73f4fe68abe3650643b25a8fc4fb66ee38a737897568a02074033f693067045bdcfe9d4111120cd24e6f2223a49f416c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3d0786967ee2746f1524764bacb8e793

SHA1
6ab5df5bc23d57de6f1325e5e423e6fd197e5e73

SHA256
6d91f97a26d68b9ca86fc44e36bd1df2a399095bf9a6307f78fb6e29977e9535

SHA512
bfdbddb68c02085719cc0a4b2f8e21647ed00603563aad1bceadc70939841d1c094dc513eb34ff5f28db20a695049fbe29d947799b082fc4d0012b80f16eea3f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
99210e93fb1b3246a8ed6a192ef8bf1e

SHA1
dbd35eb029edf2a9935de79ea84a5357eb6f7be9

SHA256
f7121d6e3352e383c08a72182b2d86a2a540962f37f2cf1bf5742b6026428ddf

SHA512
7bc076e94e4a2c8172f8330da9fb3b93d74fb563a5db84bb8d9ce684af6579d945f10161fb6d280439b55ef7b460167cc7c79fa8b408c574fa9c4176282aab5a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
43975dfdb8c92e56c56e9a724adc36f5

SHA1
40ed91ed4a8bac34ae1a228a56859e289a869de9

SHA256
988ae48d8425c1298c85e6ff5cb6724175c8471e8631bf138683195e504a3107

SHA512
aec06aaa6fbf1e89c50d210b4e76ea0de17d9c4656e463569773f6c0c7a232b43924f7b251f652952318fb645fa0f7908cd9a0d9faa54182e210ccbb26a4c28a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
aa7dd1d11b97f6d01420e8f1ac0d351a

SHA1
6845c29616c696c03bad0765f337bf7774ec4d3a

SHA256
25ce7e7eb6add7925ebd88100224001b705d28ca04bfc9fa6ec0337984d314f8

SHA512
3e040ef8bf83f5c4cdba1a5d69177d84fcb9e6b94910e1dce06cccfaea4230a3e0833d098c553e1587e3a58fb1a25e910164a5e0f8a32950c4e320463b2f4ce8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
444ec990da7e504f15759375dec216ec

SHA1
3302084a345b93f9533fdc40ef21a33ffd0d546e

SHA256
069bb9b3393462bc8b8f6856c37e22086cbc42630c9b01cfe501921b2f14dd40

SHA512
1a2f1c628bd6aa76499f4b605de07d082da7a65c1a239c7db59d842270cb07c14e79c517d7f7357119bb79e281052b6e3539902e73f2d7e4ffe5d5a9039228ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
9922467a1901417e60d151db41caf683

SHA1
e673fbaab8167252bcfe3d24318d5b777f9b56c9

SHA256
351c8e28adabe28622f236a4bfe1385fde02e6a0f47a642aed4a4b936faf9697

SHA512
2602457adec065686e0a3c5d7bd679f9a2f0cc0865f4e48c4c9b719db1505d6af9092f3196f88ff1946a3037f9a0b20b6d715417a3f5c5eec0fe356ed8324305

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
aff09154bbdfcc59cb45ea1728bfb346

SHA1
ff4cbe4a3274e0ee73803d17d4d5b608d41ef31a

SHA256
111bcef7d8db3d61bacc7458483c7d81a424e216bbcbbd1ad3b0240037ef6af9

SHA512
24416716a1c20052ac00aa629e182ced286ff54c4d4df84a86f7b8412bf5f41b99c25e49f35e6bd94ea591a55792e6986b861343ef6573230e1a2b314102bf71

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a15eb0cae3dc665097a297ffc153d2f0

SHA1
008f6bcb4305c36b107616c5d81c5c49e5afedd1

SHA256
05cf504b1931939db5a3f0859356562f926b2be6f045c22425b4edb06b6e4d20

SHA512
150cdfa67619e784b7ea72df9ec2ce5cb458474b1696abefbc071d5fd25d9a3aaf86ae8ded22c7f4ef1a69ebdf36840d7d39e23848ae84cdb09d6cc57491e8a4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
0e97a71d3e8925e95b279eb9118436d2

SHA1
0a11f47585dc97af39777ceb8db8535bd1ad789d

SHA256
d965430cd1b5b0aedc408cad2154e62ffc8b3afb818ffeda8b133dda0f828aaa

SHA512
fb4ee6d8250236aba34f2afe61fbab45d4bc361bcfa52665f6eb7105e1a09f8fd0858705370d270eed1c33118dddf5481b918b854cfd61539e2b13f46539444b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
bb1898949eeaf8d05bc97cccf7092ab0

SHA1
a3638378a60199557658a2aed2142e7c1b3bb640

SHA256
27c9429bb0865b90fab6cf62e5485b622ad52e1f86eadf4a121b2b6b32000c60

SHA512
9df424e1acc9f39da1829d28b3bda4d8eace07da29d3a70d442d6b6872de7a9ebab0508e53cea17105a29db581582da34b2d8d35ffcbc63d1b78576e1b38210e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e01b74c46bed9b2d09f92b06f0e71f7e

SHA1
c8a804c8153bdf78d903b3bf6e189aba29e14b2f

SHA256
993d8f0cf8e3e9a612747ba5f157c8d03e4cd26c8bbe3b27b8b1648e5be85414

SHA512
1370c73a1b648579bf71e2ec9ac6f16721b2430ef28222453b0f6c1ca98d5cd4a22607192533c9e8ea32322109d73fadbb55f92b7defdbfd8f4b4a4315b095cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9be15787f41fa4901973e847fdc82094

SHA1
f482521a593e4915b3bd856796c6481aa2826994

SHA256
28b6d7e91554f954ca2938fdb28ace459234f2feb6d983907462842639d072d6

SHA512
4374cc1950a6ce6d11689d7fcafec90e421f8c84faf2ae68c364f59083529e4cb28312932c367eb53b40101fb0f3a4dc3ac8dc01328092bc85d40965013385d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
74e5b8065dd6e1e2d48f4938de3f7ab6

SHA1
c8074ba1b41ea10eae9d115ac46ba3fc1ff877bb

SHA256
1b62af3896af59e75924be480acbc3ecc9f2ad67f0f85356b62531395a02cbd3

SHA512
befac3ce632be145babe4606a635dc745684e71271fbbb3a7df7f817c99f4d5007d598c12895e5317b8d05b2c6a2dc59661c9d8cb66848ead24b8524ed02937c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
e442b5a531ffeb8eb1aa18f1f86bad39

SHA1
54ffa0ef07532379e4fc97ca693055af42f41744

SHA256
9540a83f87b194c4f5a9fe0ac7f241d34c2ff9fc1be20cb3bb5f2b44da89895e

SHA512
89187c9449f174ca1eac58138c762c27819c57fab036268c561de72e95cee6b023887b0bd132aca57219a8015fca66d534f45c30d80deb95ed8691ac2114205a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
cc7fdeef20057ad444bc772da076db1b

SHA1
38b6ef6ae0634f69b6a74811bc6a6167de83cdc5

SHA256
c9c578d86516c77e70e291f4e21810ff29f080491d95742d36d9a146e6fbbde6

SHA512
99ce0d7617ce433a61b5f5528e1e33ab805b1dafc505a68b74d8893d6eb7529a6127c0adadfd269f2264f28e614de47982e15e8544825dfc23437d768ddace80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fbd48a6aac7f08d7d569768ff108f5d2

SHA1
227e544fccca6d3f3dc63da4bc619f51e29b69d7

SHA256
820c629fb8d677cd53185ddf9afad93260f045ef3b9cd94a03ba735a6a6bc011

SHA512
28b085ca983b5d8fb7efa0e2bdc7256a2baf88a81c9ba570c1793754b04818b1109de326a7e47f6f267702727d6247575c029329b027115ca6e8e999f6f35466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ab12b4f2fffcb39fc49f6d94544351ac

SHA1
b27bc9f1b213f9763a4ed97ba1fe80dd3357149f

SHA256
c63ce48423407961b1e56ed0450ba587f1e68314019a452ea188185d81b1f5c7

SHA512
5db373e08b077269f586ab7bf3b30cdbb9922e134d2cc00d7f5e72b6bbcf99cd90b924cf05913ce83802a9d2baf67033a446f227846c7cc8735361ddafe6b776

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
1fbb8b2b5366c3e0c57f3f0e72282044

SHA1
3e6e6e11e51335fd6e2e56822d519ac47a012835

SHA256
6c4365e355613eee9c5d39704a9e3249115de358a9c4ed5bac0dcefe98e31daf

SHA512
b59454a28139e0ff5fde41f38fe484bc3b865e002a469e2e2553aaa23aac4688b0b5409c20bd1c193c0134d958f63768bf768320d12eca8592f6de790d7255d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
00b36cc4e12794f70ccfbfdb935c40a4

SHA1
b12ce34eb832fa8d38a385851c3a42119a91da8a

SHA256
53444f8967df05fec75f4fb95259319733723a33484b6ea11e8fa3aaab19d878

SHA512
d184971921aba19a9d6258a6116da02e8b7b54dc432a2f17f72ca8b597b82a46b261151eb587c64772a46e3d4d0bf6c6ae5ad8cacd2aa5cc49328eb7c2f45fa5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ba5dfc7eff7bb3c6686ab4d28aa332e0

SHA1
3e328044e14440930654b381d06ccaf2b46ae72b

SHA256
b53ae352059d34be461f9c2b9766b578f72df49929a8106a113dd52055796ab4

SHA512
95906c0699e0ad14f0cf2ce7b9da07ae37eefcc749a1f1b2264693ae7ea1945170f1393aca5fbd8ee9b3d40574f68a594d9a61a7a4dfdcacffac3c368a1946b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
a3f27b6df543e00ff808199aa5df3ef9

SHA1
39dbc6f967e32cc3538355d611bd07c6aea464e9

SHA256
0b09242dc136bd29b8e63a9fb46675a15c410468a2f9be94f93de01d4126d549

SHA512
22b070a6e90195fdb0fce163984c0631eea8e1fac16857dc4be7786d51925e8aef9acbc7161370237d48ef6d761d4e52abd814664b518c927b0a09681381ba68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5af2e0e5d3fbddfaa79013b497a1e690

SHA1
0583c7841470f62f64f0e0f08a90df8843afb26a

SHA256
7b1681a4cf5a9a6fc12fd6ea8193dc9a69e40d4df528387df7cac48377d77251

SHA512
67da4dcad2c84bbb4eb1d8b198a9410d7368bcba8b00e5cb4ab41a68c09b515dafcf97059b5f8b71a6a7f7a2b1fd6b4abedd8ecbe8f10e26286d2ac9968f8652

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
56a293e90dc85170bc4a6dfc8738ad8b

SHA1
e5d3eef33becfa2cb1dcf1cb409dffb08bd3dccd

SHA256
03475544ae28cf2df9d01044e0b3b2a135006d1e1c98730ad5a0fa51a29ab30d

SHA512
2b19f0b7ac01fc8879a98fc422ca1a5e9c3ed91d728db28085fdc641c3704548238ea35a958f0893c55dc241bee4e404f3b9dd8f39304ee705a221b8e4b1e6f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
39cf908575c954c7f870913d24981d2b

SHA1
272ceae71db256d7407c6f04fc1a1ad0591fbac6

SHA256
731a6a7896e6b5f28270baa3d37bf6e9881136f74f42c57f404abc52cd069194

SHA512
8162e1123b87b223ef63b45ba22d86f3122b97c28fb5a5e1575e910778cd4e71e76848c544546f2bf4d97f81bc53fbdcd6f8082adc8f5565a2fbc9f58ed9b97b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
4f7d8a7fa1315616267cf57cf3c2a3fa

SHA1
33fba3d21c09c2aea0c274eeb79280aab85f32b7

SHA256
786f8e29ac3b0d90c794cbf475ce85556ca5a84f46749948ebe345050614edc3

SHA512
aafa1da7a6aabab9eb1b1b4968e81258b6d7656fbd9c7ad42d6a9a1c979b0b00f2f2cb21ed3f16aef10797bf053cfd73734d6f692763e2cd77ba0686d7111584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
effcf56b69bbf2adbc45b45d18e9e113

SHA1
06ace866e114f5414e397b3e119d38d1aec821e4

SHA256
d6557932ea30ba361cfa7ac84b8d38255cd4db58ef2a35849fdd877ec539546f

SHA512
b9eac68edc93f75b0c3d9c7dae4a50c65c387ea08de16ae4d31719ad6df868edbba54b289ffb58170b224f87ca40a717318eaf53e435ccd772ab990071b0133c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
5eff0d1008b81bebe65fb541d15e0c07

SHA1
a98a1f40d8fd0cbf285fdeb5baa659f7610f3de7

SHA256
84da3d747bd0ad8c9c129c4fa3cce85b093c306ebb6773c4381da3c07323fc4d

SHA512
3afd6b9f6c83c7468aa26f773474d98bdd0a9975f3f15a695befc32e584666ef93a51326d4d46fa49013158f1265970d57541fe5c9567b2170cab4b674b419db

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
317f626f7ca4f50f2e7083bc453c765b

SHA1
bd6d9e5256e3b6bd29ea42ab9ae960de98e0562c

SHA256
db183f2bd5c2388ba691cf06510096014dad3d8f3240abc86c98af666014bb28

SHA512
70838f712c52f7cd7b6ed2850d455c225732d3257351e617763714c7ef365f0a84a2566ca037396c199b31ccb7b37d9989ed427f31b744d0dcf89a1b0612a3c7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
7a8dd60cdfdca495f48add0849b46490

SHA1
0a5ddbd14e9860f884a166b7ea9921acaaa3e784

SHA256
1e8e7309ae2db0bf13ae2f9bb386f4932350668a12d57e038d1f089634cce6c9

SHA512
666fd84f7de48688333dc13bfdf35024d5c5408878bd392dca67439a154037f917d3a0ee464bf0a7c8abe676986599f71cba83dc165e8186180de72f3edf6e02

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0c8d4f1c5273cf7e0a9fb965bd563f95

SHA1
29a168f6b5a7811ee828da893d081bb6f2dbeb84

SHA256
28068d04792b098f1c42eab30439f45c1df9f3c48378ac86d735cacd954aaa9a

SHA512
b83b6ed097412bafda4838ad620da6e464d039afa529e00659f329491f180a7e2208b57cab212bd6eccde3d3a1e83f0075143de6a770ff9d00d8625c880f1538

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8356f4902e1b1d8fe912e4df17c354f8

SHA1
4353b2e2aa225513bcb6e8d7ae477ed302620d47

SHA256
2fc8b3757834f9827d53d4c3e46cb4611fc71c79158a2857bbdf895b66b3e4cd

SHA512
381677419d17fcc5707a7b6c95e9b64860f17e6c3aabc05bb1c1ff468dd2bea31e2cb76d96664eed4fce7aaa7ceb9bbaae03f9981595a4c8b65c40eaf163b88f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a83c1ecb6f8f334f2be2401e3239b40d

SHA1
f091c75354b70c37d4ce05b8b36fe0ee758e0a2c

SHA256
6f4b4ccc44c631aa098b34ebe62d44594afd269f01ed50669842309540c1aec4

SHA512
2f216df15bcc2701e4af2bfdea2b81e617a716292a7d95a36a5420741a72c189d40e57e6215dd6b2d88f64ab0a7d9375fdd80657e6141753b6d20a2261980ed9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cb7d212411bbbdaebf36603b31c61e95

SHA1
f62cce1b274074c913a4e692efcf03b66cb23463

SHA256
e80bb50b02c215734232d070c7e898e8262f580f77ae71659121463b997afa4a

SHA512
cd9ad4769f31e1fa30b792412433d5bd2a3bb4f19b3e6aefcc885184629d02450682b7b93fdc106b202e0ba1eeda51ff7ef23e2da48b408064830bf98736e7b5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
65cbde9062bda0823a4e1366c2a8538b

SHA1
f9cd012f667b1f3e48215be969a9a4f98f56354c

SHA256
20e5800bc198e80ad76b7002bf6f4d21a5479f996a5c30311da12169048c8ae1

SHA512
8ef8216e2700c529302333e4321c85075a2a51033dd512a735bd91bec3856ade0de7d999f2dc7ef9b732255c88472706957407df38c8cca9ff599189fe25d21b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3c71281c45da43bce2bd12600ee90da6

SHA1
da64491c475817170032ef49b2a0210c029ad241

SHA256
9ecc0bcb3018c0d5a7bb1b57976f207ed58f38cdd98f4e3034b551d560af2ce0

SHA512
bbd70bfd1e1a90db23ccb707733849ae1ba6f503fa50f9011410226dd9680edcf9ca1b96082c2677e5ef2860ab3ad2ff8c8bc975f09a0dd0fe66993f755cb6e2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
47b7784845702211da3570e5e69f6c57

SHA1
548c4647d217f582efc904b6f2d5b4064214cd2f

SHA256
dd97dc1bf59752e97bd2dc984c4c9ae239abc94362c44d26ec085c19d9894eff

SHA512
cfaf24cdbf08b70ca691c78345c0eb817739bba78bb607cfc1e2d31b74d5685c9cb975be90892d4a1b5fd84553e50fb1ca45397e4bb5d6f8b7f6be817cda6e8c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0c56e040fd514cc6197505856e1ea5e7

SHA1
6a199d342886c44a4a2f0edffdd1a310c22e9f63

SHA256
c3174dd54689abf3f13d18f9abe3e04bdf3201f959b7b0711a6bb183b61c2d36

SHA512
5393bc8dc58c14fd2de4c2fd0a450b54e23f83157e0bcea9dafeeeabe5b82c365f18e842d4aeeb2d65cfbb0e7f410f4045ef06d7f725c2546aee5031e9917b3e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8e8db07beb895eedfccc35d771a0e5d0

SHA1
413bceda6c6b6773604bf7309c492a724beb87e2

SHA256
bfd31096a13fed05c97876566b49c8eafb4c67733c58e1ef2d077144aef508ea

SHA512
b89da5148113e4898262fd938e7e724940f2698ffd4b127fef43b9b005757af1fc271769cc5ec2312b911bb0007528d9299c8bd10d54356c9625a0d8915113e4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
758d4168ece6c35c9c25983eb8062fa0

SHA1
42152df462bb67f309cd5530c76b9e46b0bac2ed

SHA256
9253da75216d263c0242ec9991ccde5165a8fbe14ec87e717588e6507b031eb8

SHA512
cbd2d9c9b1b809f77c6724e111b3b8a510aeb9e75219bc055926d39354d5f794ae4db9625aa67723ff22cf06279121d3cdaca03d8dc460012050200d58c0efa4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
eaee70c3f2271b21c6fbf4bc7364070c

SHA1
7d48ce8797e2f6eec073770222d8d5a8017e9aba

SHA256
592654703f9e9e83a273a43bea08a03d8d2bbd7816807c173da7f10323122614

SHA512
a02410ff29f8641f3e6986e018ec2eafb78650ebf8353cb38f6c186b48ab2b5439513c025235dea40fe00854d8af6db21173c4fadb00d3044a8ecb3e7d05b0ca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
799d15665e00e2e6f6d4c46b247b582a

SHA1
a96e00a296aceb59e25d30341423f168fbd5b18e

SHA256
7f55b5d34cb2227a89bd0557194ec6d344250cc7d536dadd3bf4d5a9ab008e52

SHA512
f0781289f900a045508e89577dccfbe8801f1885c0b8e7225bc1e11c63dd93c61a7559e0a8f8578e12bc76cdc0bd182a8d62cf31a4536c366256a6dc662522fc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
22a7031ca9f23e6631545b1c6e388c70

SHA1
2690ab47537307a36085471a67655fba02430d17

SHA256
af94ff00b922f29915366c990e40b94995cf1766b5be804d39134d3bd17728af

SHA512
0b7ae815541ff09c5fc0c710a668cc35d3e91a98cec712aec7f65d7684441451168d36b78ebe5b2daec166ed38683f68d85923a1953ae6b0e724a4ee0e05617e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
fedd0e087264d555476a457323fc2335

SHA1
d44c396f2bfb069b94ff7684b2e74787176b0c0c

SHA256
9b5557b2f6b63cc489da7d1605276bb7efc0800851475e2a8238c0c79e9107ee

SHA512
627cf128da273040ee0e898cb715f1fce0df6e0906bf2750ef2b015e841f4be95dfc6234b5a2921284a2ddf9b3a1f2d2177c42ae7a5e4c418bb969e3830d78c2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1e7b8eb95431e3b70b07f27117f22178

SHA1
6539376c5d0638ded897eac669e0332e5bc477a1

SHA256
166a80dfe3002f7d8c5a60fbe4289d14042ddd1e86b8dccd9aa7b6980b976ccb

SHA512
b51314aae673903f76bfcdcbfefbbc81022c8ed178abfc61573b66121660e9d013c359839208d07d7a54eafa8781ea4da175318d53e6060e15cc013e2f826a76

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df4b3b6593fcaca3073e8ca68d7d39dd

SHA1
e20b7eb7de69551b41b13d877f0d7fc165738a1e

SHA256
084667a5827ee57db6bfeaffa37de85e639a276ea4b3f9a7aef3ea76d4abe482

SHA512
93993729b7102451db9d2ae49fbdc903b1276b6e4581be8ff278dcc678a5d15ccf03219daa9df4ffd3739a3f36c89705679b2ff3c512a69350251bb3016b4c92

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4a1a4073fe8c26ace2810fa85217f113

SHA1
8e169d2bbee4261b529d5bafe90ea39c773584ff

SHA256
cf19232af791e331b5dfb65417b94e80fe804cbe60b8af071bd9aac82b43dac5

SHA512
038d11c0b5b6fb45b0cb198bb7dd637615c01619dde6727b4991d814c82719ec47e457080049b5264bd80422cc845fc024029226e4b22b3f9eafab176a560d22

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
907c7b796d52cd845c07e26d692f42c1

SHA1
d1f8dcb48fb6d20a5e29eb04d10f7c2d771aebbe

SHA256
0ed0700131037068e5f02d313aa1531e31bd0247c7e52ae51482f7ebc9bb83b9

SHA512
21328761c84a2428275df0701b3cda413be3bc2c986dad4cdc980c1931cc2ccf5c660fc1ec2efd177d03c3298fd4eee4bc4813fe8e8efcd14a13c9efd00a4bac

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6a5c6138259c6570c3c9cc6bbb78804d

SHA1
9c8fa6c616579d0c396215f414aec35bdcea4e00

SHA256
a771f6d14c69cce005b467f320075c481dbd182a9a746aff541d1b85a19c8983

SHA512
54254a699d3333893b0575a78e6dbfb87ffa37997f47c53c5e27c68410c89bf96a245f8389810ab05d5fe18ae7b63a3d6038ed56cfbcb233acd1da8353ccf0b6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3b3da10f125b5bb63e5038109867985c

SHA1
4cad2d7358b77f16829f1f3e283c2f957295dfc2

SHA256
fac6c4a3d67d6f5147c4d6bc7f66884a59b38378bb2d963044d5b17bdb8c6cd8

SHA512
530e9118d91857e4567053dc43518ffef92c36ba5110eb0d0e5428aef7d2b401ad47dedadafe1a411a9df0d26d699bc9042953108f0bf6227751871c0c2b2351

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
0b4e31084763d6daa4f8f8fbaaef832a

SHA1
26d8e63051ccbf54d207790d45b6c474de5402a6

SHA256
0d443571c06d833d05f7aa1fc764b957e777242da44ec34f45aa5dd2e717ac94

SHA512
372308020aff10b055c9cc2b248acc344b43136754d664be6b46b28bb677a3317d82ee4f57cbfb356acee6ed08681898af23ff09b326f3db9972e7910fa89064

Download Submit
memory/1476-363-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1476-143-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1576-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1576-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1880-55-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1880-61-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1880-54-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1880-65-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1880-67-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1988-498-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1988-167-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1992-256-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1992-118-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2224-386-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2224-146-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2468-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2468-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2736-111-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2824-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2824-497-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3124-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3268-73-0x000000002E000000-0x000000002E1A7000-memory.dmp

Filesize
1.7MB

Download
memory/3268-8-0x00000000009E0000-0x0000000000A46000-memory.dmp

Filesize
408KB

Download
memory/3268-0-0x000000002E000000-0x000000002E1A7000-memory.dmp

Filesize
1.7MB

Download
memory/3268-1-0x00000000009E0000-0x0000000000A46000-memory.dmp

Filesize
408KB

Download
memory/3268-423-0x000000002E000000-0x000000002E1A7000-memory.dmp

Filesize
1.7MB

Download
memory/3444-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3444-494-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3500-99-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3500-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3668-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3668-38-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3668-32-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3668-31-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3944-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3944-499-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4132-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4132-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4132-110-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4132-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4172-495-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4172-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4352-496-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4352-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4520-154-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4520-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4520-80-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4520-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4748-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4824-96-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4824-158-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4824-88-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4824-94-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4976-162-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4976-100-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4976-102-0x0000000000960000-0x00000000009C6000-memory.dmp

Filesize
408KB

Download
memory/4976-106-0x0000000000960000-0x00000000009C6000-memory.dmp

Filesize
408KB

Download
memory/5028-149-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5028-69-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download