52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
Size

3.1MB
MD5

099e791b966de283d228c2a69b1e6297
SHA1

6773f5d3c1af4641de7221aa3089e4d0c36932c5
SHA256

743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9
SHA512

6cfad4c213b0f2c126475601cbd6d514c292a987a4d912064b04aed4d9ff2dcf67758d31a610553c95b8f6c7021001ec05f0cefff95a0c16edd2a000b890300d
SSDEEP

49152:IXd0uVs7O9REWcUzEmJ4KlZehXuABiFCQf8LnzaKqv9imFvzzEuDLNiXicJFFRGN:Im22Y0uxf8LnzaBZFvMa7wRGpj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2656	alg.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3116	fxssvc.exe
3108	elevation_service.exe
228	elevation_service.exe
2300	maintenanceservice.exe
1348	msdtc.exe
4788	OSE.EXE
3284	PerceptionSimulationService.exe
4820	perfhost.exe
2328	locator.exe
4676	SensorDataService.exe
2892	snmptrap.exe
4632	spectrum.exe
2204	ssh-agent.exe
4900	TieringEngineService.exe
3676	AgentService.exe
4968	vds.exe
4220	vssvc.exe
2372	wbengine.exe
3472	WmiApSrv.exe
1956	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\System32\vds.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a09405b38f5360d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\System32\alg.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CA9E0780-5A2C-43F8-9E63-52BCB11A02D4}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CA9E0780-5A2C-43F8-9E63-52BCB11A02D4}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb65a30a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002071ab097d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d16de9097d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ebe7e0b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3108	elevation_service.exe
3108	elevation_service.exe
3108	elevation_service.exe
3108	elevation_service.exe
3108	elevation_service.exe
3108	elevation_service.exe
3108	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3396	743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
Token: SeAuditPrivilege	3116	fxssvc.exe
Token: SeRestorePrivilege	4900	TieringEngineService.exe
Token: SeManageVolumePrivilege	4900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3676	AgentService.exe
Token: SeBackupPrivilege	2372	wbengine.exe
Token: SeRestorePrivilege	2372	wbengine.exe
Token: SeSecurityPrivilege	2372	wbengine.exe
Token: 33	1956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeDebugPrivilege	3724	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3108	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 4848	1956	SearchIndexer.exe	107
PID 1956 wrote to memory of 4848	1956	SearchIndexer.exe	107
PID 1956 wrote to memory of 1628	1956	SearchIndexer.exe	108
PID 1956 wrote to memory of 1628	1956	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe
"C:\Users\Admin\AppData\Local\Temp\743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1824

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:228

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4676

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4848
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dd7b55d50bb7f7ad0f81309d913e554e

SHA1
f164fb43935db0d98539ab6c11c982047c0c27e6

SHA256
a34f6d7423245ebebb139a6ace7a9183cdc9bbc9986ed8c48cb0722fd9afd28b

SHA512
3eee33a207fb51ac0f4e0dbf2fc0c07d26c6658fe355d1896d0d0b25d4d2800c3e6020d721d98280a37ded5d4938cc7b27eb4d3233a8da43a7234e6498b390d7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
89feb938760e2a34ee5efa3604b76dbc

SHA1
1a5e18510ce72fdab4d6fa6b9c599ac7c8c6c771

SHA256
2c60481c9df62ba29a177ec6231f0a958a0cd76ee6920d6bf01cd24f5683938a

SHA512
60497ad3099a2b172accad69ff9ad0f9bdf263e712d5a5cd0b40a813174ca6efe186387b9cd76373744bddafad9423fdde74af5c1598fd060cec1804c5a1c8dd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
1e9032496077beb034c0b1a665159929

SHA1
19aae1a50abdcd87997cf7725b8bdd72826a29cd

SHA256
05892073fad9b2f4c31a4801a924d5c4be31ae7b1bb67a23a69fd356131282e4

SHA512
a01e7f2ea26d999d663e4eba669f9f8ec091f7081f53961ea4f0052ff5f8a7df05264138652815e978729e9c4ad78ea5a67826e92e482bb69a80394bb7bd80a2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c12d1d2d9d091a468cd9c4de8edafb9f

SHA1
4943f0a09f6508d95ea99400275bdb6a903325f1

SHA256
be7c14fa2d622912ab8c9136361368259f772a82be39affd4b66bb13b95fe316

SHA512
40c53690abf14875cf90f04b54fe2680c3e9cf05d43f7a9c9cec0644ddeb234a99b9fd5a4c831807475c1c535f03c89c6a1fec04653a2b3dcd0bed8b35373795

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c00b401389720860f96069763074253b

SHA1
a0d22af62d802dc0bdcf2b7c1addd2ede65543fb

SHA256
4ff4261425c6fbfc9a7fe02dbf938807afaee73517e4ceeb5d83b9246114c954

SHA512
2c0bd5141344c4b0d52a2e8c0816a5c20e1106d57616ea8ada2e2d3815766e7efbb7e65783c0e2836b33edc1587bc16db4ac0ac5bd6f01e8df25d80c61839ba6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6233a7f7ef7a540b52d36143cb27b401

SHA1
de1c8e0cd3afae4402564849e5bf811cd4a46790

SHA256
1969e4fcab6122ba3f01c301bb64e4baaa997daca2ffd03c84f864acd458b26b

SHA512
369c0f656a2461dfed1b56051a994f38caf9e45a27c5d6848245b2f54e0a1381b2b82fb439359197c5c539c002212db092ab3c4d5170d0b3ffb8a23c87ddfd89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4b389b05c93cc7a9b12182a757c4ca05

SHA1
ac1afff87f9769b0d7d7b83b870c6e76ba16c319

SHA256
0cadb3f20a146172f13ef5d9f6eb68248766eefbefe0725167eff1a1ccc47054

SHA512
6557216494e16fc42e17a5148728d0c07fe9fe15ef9ef0d69b302ef993283e425125d89dcc84e1987bdfaf7c3d93374c2675878dba9db952c3a15d129331fe3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d2f5b9499050989b634e4864ed0df1c8

SHA1
e1da4f24c4e07a9ea72e1ed09ea677bd461b94a0

SHA256
b46445b7637015f2f9c3461238d18e0cf41241fdaaf9e315dce2b7d3c17a390b

SHA512
de3fb09fcd8127b3fc57c39c5ea852c2c47dba8eb5ae82db0c7348ef509864d6ac911a69f9cafdfa96e8f69f2ef3ad35366c0b64cc12dcc48db23eddc7693560

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
15c823c3caeec7fa0f6f338b4bf266bd

SHA1
a9afa14542a8ee77c1eb3f939a706fbf6e026fb6

SHA256
af5ea93fa94299d41cfe676bae8aa4a2719d591b803818fffbd978754a284127

SHA512
2bdfb9896da8a002e43758f1b7de5b10537a22f9d9a3110bc5cfa8d4dc48e2ade20a0425db06d3b4a2a5ee1b0cf4a8e62dcca7703ed04be05c8b91dcaa853aec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9d5ffe007c993ff4d81891e2a0d03433

SHA1
ac6477c0904fbfdfd09c41c228d65db954c6a891

SHA256
e58870e8259ab093b2a671845f148e60df94e2090f7050a591accb78a2c2c901

SHA512
7a39ea236275d650dcd1fa99670aaa927a3983b16a80ec3c3528aa683be7b7e38bb74f19028d6701f435fb5997af501636c1bd44a0a676a1fd92b33157a03f0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e594e58bc57f3f8ece0fc63ae2cb6692

SHA1
8b7bf5877283d66539ff67a0fe5dfd7f122b580c

SHA256
52798dbe34680c17ece684d807adfbd44ab1e093603dfcd5adc8259949d4e529

SHA512
96261ccd3fdfe16bb389f137eee61fa94a1d04e2cc5e7376a1fbb677b6b835e3ca22bd93de4481314583390dd43e8286013385bad62900885199c23b165932ec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ff9b178b3cd519be6f5dd4fe8eef15e0

SHA1
8616070e5900a103c82a1e7fba1822914ed349aa

SHA256
657ffe43b990fd45198fd9d814ae0853e42bfa22de39e5b7c43b2575d36cd6cd

SHA512
7d9a8a42dcbbcdb638a18ab24193e39e3464df7dfa55f3ac998fc5cb379d3502d4c5be9bfa245d6f0fd6227b359902bf8160baf4865da963fe9cb3e1d1414f10

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
ebfbe82b3050b12f92e2d3c67a07ee44

SHA1
17769233d88ceb6f369a965fb08ad24f2e74b4c0

SHA256
5d06e38f650ac08b4b01b19a00f4affff41918792694550eea422065b1a5ec0c

SHA512
aa4b1b6a684766c687bfef8900a2e29faca2ecef64850de8dc8668de9ea7303f84b8f48963c7788eb60f2e799822e38b1d9c39a502f8a712dc9a00dee91b41da

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
21692893e63cb058d2caa1b560f8618f

SHA1
e1b20ec5452a2aff41f4323514caa3b0041c3a45

SHA256
328b52b6eb262e32e9ccd597a0277ccdfbf71faa0386c4cd1cc1bb62be8becb4

SHA512
ce7bfab3483c885af0c63bc3dc4ad220e04e5d2cf23250f010d10eede81eb3e691bda758b75a05174887d73d5548fcdee71c174a1065f89f14ed73a53651ef9d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
0c29a41c7b88fd7be35948cac807c37c

SHA1
8976806bfb742c92e194c5fccdab543bf7eb0894

SHA256
49cea27609264d62dd23e327e9a8b84157dab2fd7f1ce895b600eec8967bb34a

SHA512
aa00838df81cc0030e04652e0cf814bacbc075035358842e5daff339bdd8f59c78ae254625f4ca2b28017cd8c3ca7fe84e2b646b4b1156871ef7feec98249174

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
544b126e22eebcc724688842b52d042a

SHA1
492072f5cd39fee17f1d5078018c4e8908b6fb96

SHA256
ba2be32f045100f5f493e48aa170c10fc2e7a985b8b163075feeaee623fa9806

SHA512
8af0b91792847622beca0540b8af823f2c7ba10488ba0ab752ff7f16d118590142222ccd12a97d0dd3b7455cd4891d3ba86d4511e15002e41b5aa35ae32f65a1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ed9934386867af7ed340ea01b137bc71

SHA1
77c2aa02f1a22796e4e36569810c6cc6203f5016

SHA256
ba5699097880d8cf140a922994afcb178ae5e6416604ec16af44adf2f1b73b7d

SHA512
2d4e0e54b822d418b79dd902dd69d26f8aa7cca5a928bb5023266bc53269aae905bc2f4f4350183ceeb86b2e0cfd6a23bb939d88d260d8a626f3ad7e5aaf253f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
35d17ba75671b8e71a3226f8d81a2567

SHA1
7db39e2397e39528903c6df1f00b8cd34c75c5e1

SHA256
638999124d4697eda2b27bb1463d1bafc59a79043431c35586a67599b9270959

SHA512
245392fdc578672eb3fb98ee72f246eb44c3f430106cf41a19b2a397c03629bf4fb8b6d91375a75a2832ec815ebd15dfd96c2590fb04bc3ee6e9d5d235dba142

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
8c54224f613b8a1336caffaec6d26b59

SHA1
b4df7f8d7aa1730a925b0332d79dbfffacfde2a3

SHA256
4d1a1747ec5d3c30a0f6f10890b06f500c0febb3f64487ee61384a30a0d49bb2

SHA512
4c1ae4883d0575e0003eea5d7134ee2401d91a2dc7df0c73ee911a5eab70452bed76889f10afaea9b457bd76235166a9daec1111c7e120eca1a084b15f81cfa7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2b508f1bf148952bdd1e97f475485188

SHA1
6f2ef40151201d2557c4137731125a0d9f483593

SHA256
49cb174ace012e34f5f9d99b8f49afc0ad2286d3fedbdabd37f9bbe05e3c0147

SHA512
0e87779392415d8374ccc3d6c59e7ef12274d07a63fe93057ba189d665d4eb320b7c201afba5879151bb337bde02fdca0e67bb06abbe8bcbd0cbdc983e14a44a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
67b0bc447e3be5eb6482069c2c8a101c

SHA1
2b9eb3b88e83beb081c7ffde75ae329164863212

SHA256
ecc12fe1a4ba04bc4ad6b6c830e2c74395e6b011092c43d51a91d0714024bb35

SHA512
5b196e5397a7e41bfe70514a709e5caff8f8d4a1b5a93b7094db5d108860390d634886ceff371675e73284bfe03015c6ac32ed0d4b754090aa691a49630f1d29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2dc5441bf166545cf8e472765d10efc3

SHA1
ae188a85cd9f6cab8863b568bf8b0f8a3f38a8d4

SHA256
4605822c89612cd9cffe3beb68a311adb2ad2b08447209f130a910a980423d47

SHA512
3081fb471d885af43f9bac55f20ac4986913684c36a441bcb050b715b130deb692360f50ffe9c732fdebf80b5635d7b703c08a2da8efd51a7ea116dcd34a8bed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
cd566cb39c1d52579eadb1e5a5a0dcf4

SHA1
0d1b69c533ce2f64726aa707ce37e5f4eef2cc34

SHA256
25ed956b51fcd7673e25d84245c0b71024d4623e72a4eab2db72335edd48a86b

SHA512
db027b36130331682a2e8b7bf3dc6e3ef596bc5732bf0854e47695bf895870fcf7fe0a39890f90c7563c651eec5f832b3912357be71ead1e8804d57db1092395

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
33c14fb3dd23c338a30cd05d14d43b4e

SHA1
6daf188f2947d30ac4e229b709e48d7f175ea0b9

SHA256
f2f8982bf9a0e0ab9789f949a5811f3ee057989a261478d4e66061d8f3e5be56

SHA512
e8fda956dea818384a57aba514ae65e238c67f63cd3983e0acbed06f6329dcc9b3fededbaf485439ae7460ab9ff0b1625771dbbd450260b09222944ea508aba7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
eb58333e95c0e33ebfe75479d180f6ab

SHA1
be2fa22252ea26aa36e890acae1839b4c6808d4e

SHA256
6cec1961e62874af5c02716e7b5fd7728b2483abf646d376cabd1af3a5ffc6bc

SHA512
5f6e4b7d86d004fd2793e09b4d9787df62abcb616f4b85d3d8d1409e3744f500a0d3e45dc23bac6d8702280eb2ac875da3b701698046b611fce732744e027bf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
eab1a891a557f1dcde6261549513b60f

SHA1
5b795551cde3428556f06af76efe0c9e7baa8a66

SHA256
6fde8a9721d28e62f5ce977a9a899f0e9dbea3c17aa8c257853dc5d2c5bb25e5

SHA512
1f845f23b1a4de812f83150a7aa6190e5677b18c3349df22dbfa883c34ccb6210e69577fd8ddfbfc87172d0e0777ec406069f26e7378dc69783bc0278d702de7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
4f9f86d64e65b4fd01aa155caa47a4aa

SHA1
553f8b21820ca22717298bf949f852ab50c43a7a

SHA256
b1c05fccb683fdc0f6eb5cf9db33811defc772da44d11b7fad48b7ab45507cd4

SHA512
83c4ca2bcd6b3ff832b9f37280170e76590565138466fe3a7e1aceb0f378595ae17ff0a0c2dbb58e1e531de8d90b7fff41ab5db7b28a043df9f28dd9229c3978

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
f0027ff88eb5b75e7a7650aab63326e7

SHA1
a981aea183436ade64c01211f013081140c780d3

SHA256
e33fb1e52564a6f3359309a2e611165bc514f69b1c5f66f3b535de13f9a7711f

SHA512
1cb4a0b98a6391a4fe6bbe15302bd0636f3088357faeea731d7a2978232dde3987fb0f838055f049aac91d5aa683f6781fb660ff2ce86c871824ace6821e1d48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e0ff3ee8315d34789f33961ebb5b2902

SHA1
f0c4eda760f461194437229960c5d942e0f8fdf3

SHA256
069e0b3aba32f5ee2c433ea4bc5b2233d07addfa2ee3fa4a5d1b1c3ad1058318

SHA512
a125078115b9523d22526069dc89c6fcd55f8011a243369e57c35bf49b90605cb7173a11ee435e7678ab5709073b49f99e23a231f1d57dbf5996276862785e13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ca140f55d54ca0062f987c16e8631c3e

SHA1
e822e484f74eb6b30986a6eea3079d1a88869379

SHA256
fd8b2355746d5c2dd0ac4b488f706bb836d34eb2ae85a0e71403f6557ede84e2

SHA512
459aecf0d2f32c5f20ddb48115a6e859ef90b41aaa6d9ae12b5e116d7411928de446c4b915d8369b4e4afaec3ee11837d26577c56da5c997120b78d67d3587d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
a2b9d189696b352b4513417d35dbc630

SHA1
1c83ae02a0b1e86b023e3554dff8dfeeb6c46167

SHA256
437e03ad0529c4973213681254e13631bd5ddc01021b25ca798a70802b993a7a

SHA512
10575dbf37a28f3a29e4b997cc6846e1161cd006523e769835e61e9e9bb44100e403a7ba801d9bb23c01d8c612a6fa5c90a2cc495fbeac612bc22d8dd6303395

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c19a274394d772262cf68819455fdea3

SHA1
d993a9c51e8b1495358a6a0b9b9d698af4722335

SHA256
5d9855caf9856aaadca506a5b600b394bca3a7dc239e60e44e4b1687576f2238

SHA512
2b0dd027d9cf31a8bf73249bd3110587577697fd955fa1aced8e03c97e39fa1380e8f51de0af393ec974a949c747811e2e43892f7333843c5e45019609ebcc12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3e13c5611a44d9ed599e80751b6f2638

SHA1
b2ebc593f7907a0fb75a82067e40ac820d82b609

SHA256
f8e1452deedca0f9fe8a587ba875ba4a7f7175cd90c7bc4803466d3851fbb10b

SHA512
ceae0dd921e9d95b381d1e46998220f3b18e16c8e40bd03474302387e5c8e2de83b60fdab8a0d1f10c39da1166d2518a2b326a7a40c74caeff8787314ba39dbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
3c8f866623c563a3d3f54b3e061cef2c

SHA1
c5d18724023194e8c709dd62ba1785a1c51ce700

SHA256
779c0894abde7726b5227aa00230633dc5734cf2f2b5c3161f0d4d086f876449

SHA512
a6d19b7119107e805dd10d01d3bb56df3e9e23acd2c0eadf52026a703fe444bbb81de346a149af9b7ef6dda31be4f247b1572aee4d5a41efc956b15cb26ca3b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
776e0f266dafddaa38b3635d3f0cc980

SHA1
b965717d63400443fd14f9dc5affd923ffc0be96

SHA256
3d1bb2225811363ff03a2dfa82dbbaee042f8b6e3bf109171e926a8c1ca19ef6

SHA512
114899b7d92e9595420eeabc4b1418dedf261636e02a7907a4ec17e877da2046f04b2b90425e27f6e68db8d3eaac62457518db71cb305482af600f2df6cc2c7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
48a9d000c29a9a5ee55d32d079cd10a4

SHA1
b30f2e44952b0fcd41b4919f77fdb7fc7cd9e18e

SHA256
5353b4df0a6b5aa71598ce78fc9bc6a74c0a63a00e9e9bc8ec66286aa678d521

SHA512
391dcd02c6c2b52e71f3770ab5962fb2a7a01616e964bad50fa3a89bb286f5154e5eab4bc53378eb5d74f11d1db5ffcec991a9dc89d685279027d00ec4503a18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
914838b4b24e73ea59ba13f1bc689ea9

SHA1
887bfaf3272c0d26207af74777ab9b36a8ecd260

SHA256
65168b77a82a1cc30244c8dc18db149b9a4e22c964a5c2e2c3b139110c530f72

SHA512
9127b5fa5f9bee3fbcfd254b39e74c3eb11db96455f870e59f553c9266fe3f6465531faa29a3bc800cb2c1043a55b56b3cf2709fa861b30fa716b10a951a2c1c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
11d50af9ab2703291e880bc6956446e4

SHA1
55c0a79d10fdf6d5cadae58469d9ddb6dc8342bd

SHA256
45ec36c030af5e40610ac04e513223099be626320a396e54b1fede4d5eae5b4e

SHA512
478dc0a854b1c6f872d206850344aeb1dd256baf8ee58c0e0cf3967340695588ccd0df578333ed56c71f75112cd313d1c32e4717cc051dce01bc7309e99b1e17

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
2333a5d45d974764d575c32c29a609bb

SHA1
173cde9d47fb9c1817ac8002da1b0d00257f0e4f

SHA256
b81b3c82ad4c88025fbc3f3e2077a942e37bbb13e18ca2b960b90b1e6d71ab08

SHA512
b0ed97cf847e080c12a97bcb07be2cc58517b31eb79a94b2f0a49c7a599dd934514c88bfc3e8195a11e7111f008d54b1df3e7f840748ada6b4c841bfa187f837

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6e3f156c14a3af05898718a0bdce3497

SHA1
e9fe8dfaf002d34459a71cfa1e92231cfc5ff991

SHA256
907456a9f9e72754c09ef7df0ac352f2aaba0227301a5eccefb4d0adfb05a8db

SHA512
f1107fc6e46aaaa93ad0669ac069baaad1fee50b294cefe6bda7684dcd1d322f8561be153ca4467942fbbae1db1700e5ff5e21c54148b7522290a1acbd4bbe6d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
373bbf73d2d6901bec77270d1b570e81

SHA1
dd2d33e42d394aa164bc30a04b8a43f7b4b1b7aa

SHA256
c1dbff31b38f9e2bcfc276ea3259f7bc33f2d6717f9cb95df8f9eb3b9a3bd46e

SHA512
fbd15d97b684524e624cf67c4a6b0ebad0955e8b80dbb6055753f514997c2b4403b7a9d8f46a1ad8d844984a60dfbbd8cf481793b71cbf90de57db4cd30a26a6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4c02ca92c609ba541a68c8847b5cfb00

SHA1
600577a2dff65e538992e9a5f736746529ffa062

SHA256
d0dc559e41e4799db417fa59da4578a9e92f9bed0c6e157638bab572a0801385

SHA512
46b14807af20a3c25b97b391eca24823de0c3c11610595727f14d8c85ac023c4adfd01580683e0ac7d7545e6665ddee9cf5870f8741bc4c78606dc55da005cce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2f9c5dfd3592883ca78f6dc377a27a6b

SHA1
e4dcc472cee6e918633d7176d02d875ad25eb709

SHA256
02d44ad2125ddc09490afc141087042df98170c7b1aa19271b6e7072bb518f52

SHA512
0d59cce4bcef4e782001296aacd5686f2ccf392158db7cf4e8fe810e5357e839b6a417dde9fd16a0c1582b532b666379ce9bd5f9ac01047d43b8d9199993d29d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0ca731c1a8d0e503f8634bbb0a964134

SHA1
e64d5de1b76e083956153c4990cbb95bdd7caf79

SHA256
c136bccdc91b0b2ab5991946c79f6f53710dc9cbd0f0fe4d1a5316021163508a

SHA512
564b5166cf6b226a1fd44d8daf10aeba1b96e334625feafd1edb609cdc0673439b37b3dc214844e572bfe534fe0490fc3d740be16a94f8eb67451938382f8e60

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
def98bcfc746000e6a8770ee3132e2d6

SHA1
c4eb682b1df4fa36f1fad7896a3fcae43223a5de

SHA256
97477f3efda85cb96936d26e60d657110c8a61f4528bec7c3f9c4fb3528c4707

SHA512
6077c051d30ca333882a30842eb0d0306cddd4fc4fb3a27fbb5531ac7b8dac8fcceca5f62af88bd2a166cb5c31ff5278212d231574fbf625459afb8118c21a84

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
181b863714defb914eb20e7c0966be67

SHA1
951d55e091be2b4f81df801c76193867ed5c595d

SHA256
5f01382fdb351912e1888eacb51649e4e4bbabe7d3d162027f5306fd3735e1b3

SHA512
73c5dc7573f8c20baee03039c2d687181fbf80744bf0102bb27a4df7a5336c21cfe3edff86fff21d2e9a6ac2f47a0361dd000df365d25e9c8f0726369d62c300

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b5d7ea857170c30aaf09ea6aa68713ba

SHA1
e41989119fb0f54c1498db17c273b8c7b3919dc5

SHA256
b0ce3c91249283b014d1427538e19a24dde829c0a6be125a1109e209f7ab8d98

SHA512
873918e8b2066454a699133b66d5bc3aec4a77e6be5d230dac4c351c21976bf716c033ede93aebc93667b899d68d0b4aa4acb74a3d066e813e9e728e29ff17d3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d9e9feb03b964cc1f7c13a156c88137b

SHA1
f7a29bb2afbeae74f901434ccd322c8c6e79ae6e

SHA256
d0ef14ce47af9604de77a5a44cfc9fea80a4a7c51a6f6910f29bee51b044fea3

SHA512
c2d47514394fec3aac1c7ab9156a362fde29843c23391416aa9431ca157d54e5887133015fe66000658bc45994543e8cbf6da9cf0c8019a5064ec4dd71a8a328

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
41ff837b452df104a33dcd0d4ffcc31a

SHA1
f2b079f8857922a1a6b9fe5caf724eba5df11839

SHA256
bdcacf509512760454fecc34c5f9f43db04d18f0293c50012d18a81a92035445

SHA512
165fd44245a0c8ea153fc4e2d5afdd1715f20672da2f8f7cf97b57ca2169f2c03743772c51e70b3710a2aca2c8448f2efc7aa0ef34de70bdedcb83cad75e1559

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
53d5f3633d10cd38e18ef735f655abf4

SHA1
ea3fbdd123a96f6543620f13f87317666fa7b186

SHA256
5257d45126c3305e2c94018d06410200d9c2a5d628fab5fff1523f26108b6b2e

SHA512
19e7b1465015bc40dc5a731ee146139fe4f549c1d27646b6bc95ddccff0d6cac534b4b507469d1fb391444c0f2e8f0a9dc50df775263db4d5cfca4756aec0fad

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c4dc853c2ab588d5e34c7d7b76099d24

SHA1
e0dc3d915f6817abc5d6dcf81bea38052fcd495c

SHA256
165325205357757df111a1d9b433e9297c9f5d1ab0ad710e89d71ece2a3a9ead

SHA512
f5568e940d93b34247aa28fc6963e1bc5c856e35a15d50ac383287f0ad2986d7ddb5c697b574d56136a1c77e0b47c422e3dcca7c1ed6bc2ddfbc59349ac2c923

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a7e68a2692e7f1de5df96bdeb9d89994

SHA1
d7ffa90a90ae0dc9a50e73db9baebf40c2bf0f04

SHA256
80bcf9113da8355f6bc24dd2bda5be3996f8b5edfa90dc729ce7b0e12270ed7b

SHA512
ad12308d9d381f8df5f1542982854ed57dcde7eebb84b97f17b9f1afc78f2a8b265f5d8a0014cc59280797ba168775164c3186628ab5671a7704dfd1c8da1bfb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6f72406be5bd52bec50a98bfac78f1fa

SHA1
615ba7a5ea7e3f6c9a70b859e7809083dae38e85

SHA256
1b8384288898a050ccaa69e25cdd2029aaf0e329c7ed869dd2325069020390d8

SHA512
b52f05f4ce4f3c03b99147bb83cbab6fb80e59c8ac3e74e71ebc1b4ae7370dd261313b9b961c30686c8a6700697d943c7b9f29058e4d249d955695c7af1ed8b6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b12d9922260bda57e94271f8e106f7a0

SHA1
80501c788e98fa2fe0248b4f3f496fc5ae1470d4

SHA256
f12b89dc0528e65339d42f1463851fc52d8f041ea15a41222391dc18caf059a3

SHA512
c2e860bcb5b087555bc02317b04b79316670a207146792a7dd392aaf77ca9fdd7dc2474d9fd0e69e3ecfecb591d1da6756876b2457b76b53ec0bf13bd2ae44cc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5510617cd49e05bdf73414a71b6d35ee

SHA1
9ba07975ef2241b03d1e6e32599df67fa731aa3c

SHA256
54348d3f99ecd85fde722150efaa706d4ec16a173b75cf9ec8928f2b7946c9a5

SHA512
a9848c8c14ca2c1e057323d58efbf7f06087fa3b86e99ebc6447832886f5e5b7d65a4c7ebef205150be5a4152b03613d3fd7a7d371372b00ae258b6246994c68

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b5c3dda99089062c1aad3fd457b6f3c5

SHA1
073fcadb5557df0161b6564eb8c54ff4b970f009

SHA256
9037aa1f7688e9758059b389ce8be37e2bfd10e55f8066baaf0eb0e7b9483c28

SHA512
e715eccdfb986cf651abd016dc7db19b35451290ab68ed774ebf0d1de02eaf3501e9cf4a9cc02214857b99be37707c53533ab929e41100f37af6d49ccc7ef13e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
72dcc799b563e0e01d9da2774aac6764

SHA1
3afce8aa0de6179667114335589bfe99b0b48aa4

SHA256
175582c74f9215b793f61a30cbb7422d5076eb4229cacc0cbe067b39a934fac6

SHA512
ba770cea129dd687ba53a7807c9a93ca784141446951e2e8277131899b33ec7c735ea4705f811ef907f8ee66cfc21d72567652a260de61f268e6e694ab727b70

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7d47879d4ad54906fe9f12df45c75b43

SHA1
27c4ff649f01736bdeb5b5c8cce3ae5d03d0e153

SHA256
ebae84e28b375a9483562a5c2ad76a962e7da582da8c0d4d334e8f9c99c46755

SHA512
f59b2ccd5663e1a59a7173f8b10e4679ccfffe72572bdcd01bd5e29a13be7b0ca6cd7a9076434cbe189ac5359002d4ba90be92e66e850b2ced64218b6ef1823d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6f36ae2fcac5b1abd6376b226e3b2381

SHA1
acd372890c68ae76bb1d573561d1c2b5b4bb8925

SHA256
3bb23d8f9ce122a1f032a79f09477fa55620671d6e7041b0ad171fe9bd6de72f

SHA512
ec445b204d6cd45ed3e298c3136a0a3582621692c7aaeb1c7122e41f1ca35def89203e517c84e1f42a17e7601ba1d4bb1bd3f984267ee9f0740fdde7e4bfb9a3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
056836c3e60da96ea4ef8743067f6f68

SHA1
6ebe5243944a349532cf15b2c4a26a90cabdf51a

SHA256
23111bf44cb6725a69bc6834e81d7f440ab4f363b9fe02776058d6512939be31

SHA512
6bab73b9170ba13a845be32edd20edf849081d2413eca8cbfb538ef56f49a15b217552e2f2a53a8e266262efa8c20dff268e2ff9cdaf4cbf368113ce6787ad24

Download Submit
memory/228-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/228-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/228-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/228-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1348-151-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1348-71-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1956-174-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1956-515-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2204-414-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2204-145-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2300-57-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2300-64-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2300-67-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2300-69-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2300-56-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2328-168-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2328-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2372-513-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2372-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2656-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2656-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2892-254-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2892-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3108-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3108-123-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3108-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3108-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3116-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3284-97-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3284-90-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3284-91-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3284-160-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3396-351-0x0000000140000000-0x0000000140334000-memory.dmp

Filesize
3.2MB

Download
memory/3396-81-0x0000000140000000-0x0000000140334000-memory.dmp

Filesize
3.2MB

Download
memory/3396-0-0x0000000140000000-0x0000000140334000-memory.dmp

Filesize
3.2MB

Download
memory/3396-1-0x0000000001EF0000-0x0000000001F50000-memory.dmp

Filesize
384KB

Download
memory/3396-352-0x0000000001EF0000-0x0000000001F50000-memory.dmp

Filesize
384KB

Download
memory/3396-9-0x0000000001EF0000-0x0000000001F50000-memory.dmp

Filesize
384KB

Download
memory/3472-514-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3472-170-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3676-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3676-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3724-25-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3724-102-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3724-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3724-17-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4220-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4220-512-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4632-124-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4632-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4676-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-173-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4788-75-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4788-157-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4788-82-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4788-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4820-164-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4820-104-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4820-103-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4820-109-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4900-415-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4900-148-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4968-159-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download