e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
Size

1.5MB
MD5

a32d005c4a3c540091b1a51c620b057b
SHA1

ca94fea0e1defbd9b8a694672072b8e7838c7ea4
SHA256

e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd
SHA512

9e43f21951d7e07a451510ae3a3febeb25b581e3bf638414305e840d997520a8f908ffd7ac2266fc4461922b732ce4f5a5fd8c611988fdcc9ed959c05a02da41
SSDEEP

12288:NkA7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:2ACks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3448	alg.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
2740	fxssvc.exe
3392	elevation_service.exe
4552	elevation_service.exe
4160	maintenanceservice.exe
3100	msdtc.exe
2168	OSE.EXE
4240	PerceptionSimulationService.exe
512	perfhost.exe
4372	locator.exe
3476	SensorDataService.exe
3364	snmptrap.exe
2248	spectrum.exe
1760	ssh-agent.exe
3396	TieringEngineService.exe
4832	AgentService.exe
1472	vds.exe
2436	vssvc.exe
1784	wbengine.exe
4956	WmiApSrv.exe
5100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\locator.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\System32\vds.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2a2e8522253fadf5.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exee83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AF181329-A87B-45CD-9D9A-20D884BD8E1F}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016b246b36bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000750136b36bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f1d54b46bcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000721368b36bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078d4aab36bcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a47feb36bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052abe1b36bcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fc578b36bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e09f33b36bcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5012	e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
Token: SeAuditPrivilege	2740	fxssvc.exe
Token: SeRestorePrivilege	3396	TieringEngineService.exe
Token: SeManageVolumePrivilege	3396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4832	AgentService.exe
Token: SeBackupPrivilege	2436	vssvc.exe
Token: SeRestorePrivilege	2436	vssvc.exe
Token: SeAuditPrivilege	2436	vssvc.exe
Token: SeBackupPrivilege	1784	wbengine.exe
Token: SeRestorePrivilege	1784	wbengine.exe
Token: SeSecurityPrivilege	1784	wbengine.exe
Token: 33	5100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeDebugPrivilege	3448	alg.exe
Token: SeDebugPrivilege	3448	alg.exe
Token: SeDebugPrivilege	3448	alg.exe
Token: SeDebugPrivilege	3936	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5100 wrote to memory of 400	5100	SearchIndexer.exe	SearchProtocolHost.exe
PID 5100 wrote to memory of 400	5100	SearchIndexer.exe	SearchProtocolHost.exe
PID 5100 wrote to memory of 3188	5100	SearchIndexer.exe	SearchFilterHost.exe
PID 5100 wrote to memory of 3188	5100	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe
"C:\Users\Admin\AppData\Local\Temp\e83690f0d57d9cdb4aee58a92d2479c778167373e8cccb5be6e2d1244a6f31fd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5004

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3364

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2248

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:400

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3188

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
4b1baa3802f52c33dbfaaab0bc5cff07

SHA1
443f129a5b36dec1858c6da30133eab91820799e

SHA256
c67830b2f392c29eeea23f232efc6275cc49747851e1f8b8bd6fd5001ab8e928

SHA512
ca51883ae329e76937999ecc86a9647563f67904b888239bf48c81cc0325a48ef00e4451c25b76bff7bfb3511ec63a5ad600bf801e7898efcfd8eeff2584355e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
1fbc0bf58ac399c2057751e292951abd

SHA1
ec81fba601249b8e8e7f3aca9f8ff728daf3301d

SHA256
c78b6722a6a428c58d420fa3ab408ba6189a56e6b5aec8f25b81b596515489f3

SHA512
c5fe26bb24c7d2439716929b53ab5e436cbf761fa2e5320ef418d17c2ea5166b62c601be403cb2ad34395e7b116b218e9b7b00f89d9d58ada38e21ca8cc06e2c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
be4a5280864f4adc68fcdcbbf747529c

SHA1
3f8ce22480638a863701420d7c6f7df89af2e5eb

SHA256
dbf810c8aad70be67e030841aa4283a77892a6e9bd83e59ffc643ac779b45362

SHA512
c9d30d460b2aa0418f2979ae57b09fc9d7c41a888c3f2b0de7164d5f391b89efb51b3123c376a93a7a0f1d753f6ccce11474176b4673c57f9845d7ebc3680fdd

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3a62a97c707a9f08d475cc0cd8f62c53

SHA1
1dadff0896d8ca71e9ecdbdf775a2de4ecc8d345

SHA256
0e5c4f1f5f1b51cf3233b45e335b086fb57e2400debbb12fcff1b6ad0549fcab

SHA512
68f28dd40ac3da906d8b634f991e77161260824e9c0a91bec0e2a25832f087ada9252024dcb79304b23785ee92fdb133c7c0386506a8c65b8fe949702e97e20b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6e1c310a520eca4e8366c37514967aac

SHA1
2a8f3857437da9b0a5fb94a0eb3150a8399935f5

SHA256
51b9712fed9ff2de8108fdd9df9f5f8fdd0e225efa87b77efd5a19122db15034

SHA512
86b6943306016d18f0b29373b14a7ee54613a9276d83d2c71f4c9c54dd8dde5cf6a116e1120c1f329ccd3b0678085357317e94a4dc60a6a9ab2de90bd990673e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
1292a2327214059d2fd71d510fa804e8

SHA1
4e85dee93486fec5add44bf51975b6277b5ce718

SHA256
2705019ba8ac822cf7d79cbe5df675c16ff92e418af90fcb712b07c92d9fd378

SHA512
5a41e620bf323eadbfdf44a0b9f40aae8e124ed852096576b597e285aa6e12eda673c485c9e7b950d713bc8023d760d83eb015e90bc46a88e1a2e163cf6eb5fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
4f17eda1f1b9600085416f006af61d62

SHA1
6998fe9fae8565bca70da6698d08026361f20aa6

SHA256
0a31316c7222df0eac548bfa7c79d84cbc3ceb5655b0dc8a22ed10e1bdf267e9

SHA512
9ef49e5b22e9ddd01b33d17cf833362de933fbeaedb357f7fecb2b14f162d1a4cc664a75776dc1d4c0d18c9570313f9b6b59bd6366c56cb03e5a2832b079ace0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
0c35cc781d429897e236db3a71e189d2

SHA1
c2ef4bf662f203f31cf715b18550181edacfa9b1

SHA256
f45d111f35e1f039021998d3de4c950269fc9bede566bae0ef11f0c7ff8b1169

SHA512
0c6b204b140715cea9bd5b0c775180281b1195b909b80d9b72a48073de2afe561253c31ab71eb83d8d10e28a788d1930f04945bb4571f68e65309e20a17c8098

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
b666339a8bc93d8167c26a1344dd68ce

SHA1
6af595a0489bba971d823f5773b1ff4589350f67

SHA256
56890d01b420a9f4eca401e596f5f5ca544d4c80bfa7ab4fe925dd22a89e1bf9

SHA512
c0c8307199caebde53d5708a57f39361d3a40ce6223f0cf3a5ec8f3f6cc180d86a424f0afc50ee0b14fde27b7fa821c7baebc756b2cdde72bea288e4d2b9a169

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
90ac34be3bedb382af9c7a9cbf3f0035

SHA1
7d66f723eaa7a224ca3655a9c4c1b5e65aa6e717

SHA256
5b9aa7c87b30f9615464a6364425c777020c7efcbef086b74243eb773418da7f

SHA512
807cc8b78caf88f67c234a2a5ae49453054de788e4bc4ad542fe11380387cbcabaf4223cb41e6054ce84f6185e7f9a2c50c1b88cf2311875bae94db7c9ba06d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
68d9b4c7a1d783dd84f4d6fbebe8d0d9

SHA1
197714de167d219950095044e5c2ad6f7a857e14

SHA256
ea4d77dac5ad78b0ff98c53a10d64501dfc91370481503281989ee9836bdcbc6

SHA512
1811826ae3404a3279a20910d29b38c12dc455ca589653fb0801c3c3db450c1b440fe1e924982e68c0a1c7c479e0ff0f452306db3b21c0a1c46269bac7fcb649

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a14aa4db701a1b42e50dd598c9d9adb8

SHA1
430a8e1a05707ecba405125f52dbf5bcf3ece8ae

SHA256
d0718b3180e3066374afe4fcf7827b480aaed6c794f3e3218ea29df28257c37b

SHA512
eddc18b684c8296884ef1bb1d1d30637b35db285ea5d26c6ce7993686577667ca8571dc2832fc438e40e6071b53683a8ed9983dfdd49652f573a4391e281e1c0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
8baa977eb62c5997a63b3399fa7a8045

SHA1
0270e75bbe2f59e9ddc7d08c2169b39ced322a30

SHA256
c1e5f4f1e6a631a6f3977eccd16120a79fc64ac38ad760b5a740ef217f73eee6

SHA512
3f3d0cc6bb40796e44595251884c3e1799a982ee8c7220503383012e21b18f6d9d2b4420c98638a7c0839603c614dea247608b725c6d646a5a81938ab614d3cc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
2d0bfd3e786e37d6e8637e0b329522e2

SHA1
d86a1ab6d6604e046b7a73b16b905356e543304d

SHA256
b247dbc4efe42e038bcd3e3d94eaf0cb7e0d2e9956a4b9e1919c4800b34da08e

SHA512
6086e8006eab0573c3e1d814b5f8e503622ef01e33f4292d50619ae40bf8c4fdb12448a552e5f62cd869a6f8027874ac41eac10b88e9146bae6e17ff1055ba26

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
04ba3914ad748cadf92e3b1de3e5a799

SHA1
c243992489509cca5181d6e5fecc7e6e4c318e80

SHA256
bcc78dbc3d599514280bf7fba94aeee70252b404265861139fc970a43509cc58

SHA512
e393385625c17274c500358a080965675e07831a69dd706391faefde1ee03add5fa6a0ffae76275306dceff082a65db608e2b4145674dddfbf34d6f2ee2e4e6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
4564715c66788dcabccdeded9da8fea5

SHA1
400dda268e1f00b411781bcd40cc20016088d37b

SHA256
c6cd973f3314a99e2308fc3314f05873bd862f0288589e5f05f3d931bcec68b3

SHA512
802f4dce6d10ede780839f6478138d33f411bb60d832f303fdf76e92494967924e94678c42272f5b7d5cb1784888fd721e37d171dde7b3ebb655f323760dd97a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
4dcc92fbaaf0c47de7c8ee37128d9ecb

SHA1
eb04d5e212e203f3463d71d480853da9ad37524a

SHA256
c406018de3ab891f5dcaed92e6e5fadb6c64af89d9c5deb969fdd909cef6ebda

SHA512
361a49f6d1d4af327a1d6374c4dbc58e37df01552f9aa7321bdf0637cdf64ebd166b9b531e16ec91035148c34022a8e8e1796ce5dffc8af1c47631bbd5b85c97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
8fc8312dbe772b7bcfe0f13cf7843170

SHA1
fc56a47170f9245e51bce0201fb193cfbfb74194

SHA256
ba7e8aad25715d48bac1171af1aa0bb36bf57429ff62bfe5212198b02d2fc495

SHA512
5da4ee20f5689faaf9c10f3c1d5417f0b321675b56db17b8dccae2b3de2af833fae6560870898b308df0d9dd7a704fe8ba8c561f5d69bafb091188c75e6ccff8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
f93afbe7b7631422e0cbe9eac9c69fdb

SHA1
b8eb74ef45b24601580803db5556b02134a99fbf

SHA256
2fab523db1d34f0a14e4f00ef303ae5e976bf4cc608d45f2ae3c9fc2329eabe4

SHA512
715f3bdea2481ec5fec0c2d5ac2afdac968854cfea097683a5739a5e7ae4870280164c9e471f8d8058fe848ae4fe8bababfa4824455b2594b3c04977448bb3b7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
3c90ff76e26762a192e522fe3c3ca247

SHA1
d2f740679041b1d0749aaef66ec2ceba41cd056d

SHA256
1e75e8b477e9c2da4af955950bcafbc7d764f49e6fbddefea78bd86289f335f9

SHA512
c09d876206019f43688811df10ea20f41b08614c8b6bef0723e6eddf0222e561d02333892e35e8ee447fe1da55c916db87707b91e670897a5910e2689e2ecef7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
75e9c50becade0455eb8da9859231fb3

SHA1
47b3182644773d09f8f71a2c58ecc9a0b97226af

SHA256
eb340711b4ab55401df8dd0c3e0b210df3ca08c6c638d2aea3060b07dcf65d99

SHA512
fccf1b8b7fb6ae483a2ee8da8f0c523bef58bce1a12ad16abd42444176c9c0b2fd00ee64521819573e762c89bf413f53351821a6f7dd9793b9c12cff9efe2cfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
83360413b85e49643dec929b531854b4

SHA1
c5181b0ab1f152aad43f75da78896d631451561c

SHA256
c17e0e685b2a4437ba87797095a5e910405ad3f2f0402774c0cea3397a2a6955

SHA512
4a49a5b482f9a492e7e180d6bdff3597859c817a23e105f942b71354d2f407ed3783b5d8bb7d172409311cd2df0477f14eaafe72d5a0cc7578efecefe70683e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
1fec4bd65c2b329dd2c0dc4b741f0113

SHA1
6d81802366c0f27f4c32482c9bd965009ffb026b

SHA256
2c33eac39930f8b63a1e8b2f9aa218e75eb8617e966bb838d52f6aa394c45b22

SHA512
37a086e18c8fac8b3f0bce8190bf54579ca429254a4016b4d5ed7e2e9072ed94110eccda1475d3137062f4b995e2817a34c317adecab63d20f6cf0cd2a36a51f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
1949297f8a7a71789e5c2b2771dee1b6

SHA1
2be2f75a67510b1dec43f246c27da016e9c7e4a8

SHA256
3f15e32c34ca8b4ba1e8c839f598d053977f3c9311f2e4bd29437141c84d691c

SHA512
7a535558dd8e079ad7103a9e3a9ffd0c09e60ba329e3e1e0b0681be3b0375c79a4db5c8f681b6d9f233e99c8f5673d6e3728370254a29213b051eb3a19c5edd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
684c710b01943344afd978af5efe55eb

SHA1
08a2aa13fa2d16e3b34657bbe0f3d33fc82bfc8b

SHA256
a50e859a8994d057228990d6dcdb82913fad057d08a0a151bc4ba4b8e2cd7a2e

SHA512
11cf57f8d3deac47591c6e6075ba7902dfbe155a2db128038690f0c3f387dc6eb1160ddc58a3ce5a8e06f73c15932237f9bc02230272a2cd7a89e2be5c31605c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
97e64931cd03e8d5588b41e3f43e0789

SHA1
32bbe48662cd33df8d3b41bb354fdd1af4833e9b

SHA256
119a1d11c0575dbd597e9db376be68d33a02ec533e311ec876670c159876c5e1

SHA512
e86b88d6de730b3c2893eb59caa6159314c6bf40b6097f4b2b19f46813ee96224cf2ae344fdf419e73b459b41e060771debd4a8d60b5f496b0c9430331bd6624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
9882242ad3e2f21cd350af6e591b3bff

SHA1
5170efbbb146464857358fc12f24564ddd8bfaba

SHA256
20621c33489b3bba45c685ae7fdd83f1e3af46e7314918368b47af1814f9aa87

SHA512
268b8cebaea5f5809966da1107ead6e5752d4e6fcaaa3c292203bd0db1b8e3d89d4dca7c062ed5f530af4f7da9d8d0e1985158f463ebc5de24d4bbeb42c397a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
e6a33922ceb2a9a8f328f1c1d9d06bba

SHA1
7e4486a78302e9274ce7c84cb3046a8828a35a5a

SHA256
d5680006673218fafa3a9265b452510ff1e5e00c2fdfa8940366f6ce45ccbe4f

SHA512
19562b32825fb714d7b531836624a47c573bca239e0bc841fffa4b1f5ae968153e109d7224e56a051d0e93dad77282b0aa26255cae6d6001934410dcf0c48c9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
b0b0fbdd55d894a9938cc2379fe9f669

SHA1
ecca28629d465496abb1fd41ff6677bb68a4e906

SHA256
2316434bee8966ca0430bd8b9696c7ebe4ef0c0c02599b65e686b16ed956039f

SHA512
5f6257e2e56ad9138f1eb5ad3d5f8bad39b40da7e7e1bfc8c5f2e4ee6e4ab7c8ba713d0fdecaa78313c05b4e54efd894ca4ee9122a43bbf3c90f0a1be8682f20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
aca47bebafd9312a9c8deeca3433b321

SHA1
f3da75e6307cd5f4a43b7b9a04dec30c667bc642

SHA256
9ebf3fcaf1863926f14f93c5bc2cbef55f5e2a1c534afefee7a5972dce68a4ff

SHA512
accd012017fd0b5851690f1dfb8be9287bb6fc879669920f37a35c2e645ddcc6c86cf4e94f856b36296c91b9072a84e310f8a756de7a3a3a9f74152f06295fb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
fc83b2d893e1ac2fb5e5d8490543e369

SHA1
4a6b4637ab0495f53bd19ba9a707a3745804c1b7

SHA256
afd4bf76e37cc40c17e9a619175f190784f6f0d3cc2d209f21c16a076403aae1

SHA512
26414e171afe9b03e8b1b715c5004aad127e2ef434b0b60f66b66de68b7980f5b3ac453c66d6331eb370493b38d07ad56e2f9aca9302c96eda2d369cb518e25c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
a2af1178c91dbb428df6f704f84c219f

SHA1
02f7c543ae4948ed169a477ec06dcb3df5b29255

SHA256
e7c11a5d07996fcd577c0fc7bdead57506bb5bee8bd62e84a86c1e7b4bc5a3d4

SHA512
2f749965c4e3f43c4193a75fb3bbb5956f695a1a47bbe6e5f5d6b985046124c4c037ec805e7587b7f5c9829f963405ece93e321e43a744d8588a2f39026f61e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
6832565713649f81c406024af6255d33

SHA1
10360f98796af4e9876009d346de8064ea304d26

SHA256
f7975d3e15dd1f87f762a9fa2f2d75aa6d4ccacb433a346219803aa14ec25629

SHA512
f2170492f262f64576252c37fe4083f0261871714ec82b58d5a5d935db2f96946c89ba2d58a1fa00a4813d886ec46e580501a8705aa89837100fca687420a4ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
dddb621aa24c1152eb68bb20c9f7296d

SHA1
d5cfaf6aeae720337638b25c09f53aee21b7f38f

SHA256
bce31e0fa503e996891c03b4a0df32b2e6c2731ae533b686499951de41d92d63

SHA512
9c302552460d838c14c0c80c9eb6fadafd18645f9772ccc54130ec1a5222577a0afce10b3dbac2dadcb2094452a642a1c450c1ed72f31b1734c3960babe5dff3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
db337e3e369fa2b88cb9ce5924756b78

SHA1
63abda4d7e4daf667dd2ffa549ea11650a256ba5

SHA256
2ee9e0ac798629e769b7ec00b399ec914324f1d669e18cc483d5f03a7c1b1bff

SHA512
3ac78c1d4439670edbc734c5ac9a374052b3272c1d6212723fdf9f614692fca3dea700f01e9111e11aa9067c97ade09e2fa86d2cae71c40910f27369cbb006fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
b7f8141685cbf9af889f00c297f76abd

SHA1
d86235b2e43028c41c66054ddf38cef61f252013

SHA256
96d9b3f2aff1cac0ab94cf35f9050228ccc8c3443b77dd79de2f54a717e7b3b5

SHA512
64b4d45ae5784a5ea50979e687c180030c478c37079183ecb3d16718e383d4cf93c70a2b2753141ec24b69beb85b41195c1a6b2d1ff376ba1864ceb80dbf5adb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
10b47cf37677e3ea35a8c4e15a5d5cdc

SHA1
d7ba4b289f1fa72bdb6ca59c154035ecf7296671

SHA256
52a91adfaba00de1189da711e8b3c42c165a2daf1b2e8c9f5882e3969db0ba98

SHA512
0070eb4401cf85ba5c5b7826a9de7f1792f158711930335d6a4e0255594f5c7e6d5a183be63c8681c122d9e59219cac46ff7caa58426f3f32e5c323132de3a79

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
ded68880d370896527971d40be8fc788

SHA1
31cd48f5601a552e5ade5f3135ff8ac5fc6b357e

SHA256
53fbfa1c2b7f8c8700b65ed873acdf9ef0ce031e9217b0a367b8450d857f502f

SHA512
64ce61a322ecb766ffd79c98a7235ecdb59e174b0810983b2d10b68040255b0155b3465b507f425cc06493339f5e0ef2cfb4a5c61583682489bfb0a9ec63ed75

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
375ab97bb582653bc27fbb1ad9f13141

SHA1
89cd1118182b6d6c9248f832864a76c76fe96127

SHA256
8d7f8b538e02ebb6a69025144668060436d4d29ba4eae08f88340ef4968971f3

SHA512
91b66ab7e6f0cd3c5faa34f493bf2049f03e2f6b42b2aa944b314584d337b6dcfaaac2f79b24e918662ca5160bb98fe6d5319dda816be4a363476ef45c8d369c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
cf4fbdc0057753761d7e87b68f723645

SHA1
5f6b09e8912b0991a390f1b2abb2d4f681d3ff19

SHA256
8c26b5d9cf194aca74388445f293327e6ee95a889bbd7fe57c3dabcf6164928a

SHA512
4094811f16ec2841ae3813de23c47d3a3979ef01f0cba24896cc3e22bd8b61ae2050b2f5edc19f92e6ca7f11fccd71ac5c1b93202fc1ad11e718e84d224a6509

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
7bd170a38f4aa692a7ecb3c0ef5c30d8

SHA1
9ec5f5ddb6534a31913928cd3e6df19bd15fceb3

SHA256
992fa30f418718ad4b470a2a1b458c8bd84fff514ce3c97ca5aac75351dc464b

SHA512
c1cafaaf69d353bf29556b2fe944730a215c6688dd936ae57daf7f2f31adf432c032e8e06d4d48f5369fa9c90324404edb6777f53e6a3e4b467ceb626c96f230

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e15b4a93b2320588c1e1ac48e2100bf3

SHA1
ec86a983b6da406bd8fca2629681b42635042969

SHA256
68d0f0ea055f8d6addfaee1308e22b42bc1277b422850a8d12215514587387f7

SHA512
f8435ff132fc0af1c39bb95f492376067ea73f8fa30252a033c10e8050867cfc81f5b26f65de55c51c87f4ec85224eee57561fbed70869f23cfa0016866644a5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
84d9840b1e50be128ebbfc0a3331c3bc

SHA1
8a09fae51c4617fb96b3512a4fe672c59cf28627

SHA256
3a1c34e2c2a6757228c1aae259d5ee008b3107124c9c785947cb98cc0b63c07e

SHA512
e83448f4e48dcc018afbf4b85d327c2635e0da7307b00dec3ddd6def897f1fb7a4fb0a51d078648fca886e21b9a6606e2be055b14e9f0d7bf1f6e1c1bff6cead

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
3730195bec77f04db814ffac57337e5b

SHA1
c4b3e6e805166569c62f140ecbab06e735280c9e

SHA256
2090561706f91334ec03739d410eb07da6f7181cd042c39118a48f8287784995

SHA512
4620216963b2816ab47240c89282bd2ec1248c52000cfc9ceb81a608e4bcce1287bcbfd87320532e4bf75d1661008b77e18a97c8fad89c6895c5d7926cd25f1b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
3f318d3c3df0dad373fe79d50a2a2e73

SHA1
0c07e745d825547bb5becb7869ceed7912a00f10

SHA256
c488325daa2c7b4af282ed5e5726e0c37fbae805c498fc5a2a8e065ed21fc2a7

SHA512
1836509440f1d9b7de1d68e17f8f980af8b7a978108ce65121f4c66131020bcaca53d01796ce2fdbb5c4cb397f12f39f21f671f6e2b7183bab4f581224c34ecd

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bbc9ed2385801c7dca1f4933d9abf64c

SHA1
ac7fa847383f44f33644ba3506f3683c65cebf76

SHA256
be3195e8f2edd29fea789d23b5ec50c45068f06491796522ee631c5d43ba00b4

SHA512
31694acbbbc415a4d70f59c33aa1a22f1b58e62696ea9e44f6edacec9cba65e326424de7956a505273dc5b07b756074e23e9608a36b0b7fe4fdc5ba37af024f1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
86c234a4cea4f8d4756fa58b1300ee7d

SHA1
a4db9af6203c74752c9fbc44a6d4a50cc9ed8c66

SHA256
789c821c0c130915b58ba6a87c0addaa7d1af26b819be58f17edbf37410291cc

SHA512
3b1d9e80cf8ea74da9777cd800b4712cd3a1422245933a5d0b5de540243345cbbc2039a971cb896f6a648c17a5d7a255a26302695769f58655fc8ce8c731b187

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2097546899df75034f9f0142b0e53a72

SHA1
c705e2dfd50edd6694a772759861ec2d5dc3641e

SHA256
592b27ef66dfe942b0e38c5e5b6868ce7d1671acec1541a744cb1db6c3ce0be6

SHA512
0d09e00e299559e03121afa8b30b5eba744603de78ecf8e5e128d0d0bb2c2cb07dd6e2ca451b4148b511495d632200f03582d0037e20fe594697d2d0bef2ed02

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
df3927970c87663f73b88ff376a8e899

SHA1
10e96c8171525a9d8b222c6f2da643a722f58d54

SHA256
d537e693f43e8e03286f7e86eb2b636455710cd313f796d77bba90e3bc10cfb8

SHA512
7e485c0e0957921d39306eba839d28f4c973331a92eb193ec45fbf67d87c4279a3b12bf8e851ae14ea2a22f6486549eb42dd06433d96b48b842588f6b6fca72d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6139ba82adea390b64a4e69b8fe3f1f4

SHA1
0e92dda1a2026890d0a6dc7b4ea787d0e24d93fe

SHA256
c64e7ea7b6a7fad550b44f2b64341b4f6d199d8ca120324cd0d431ea89e80e28

SHA512
bf8008b3df1b2b18699da2f8552f6dc1db93dd8bba94b35d18bc042e74e62e690fbecc583bc4d486316b1c04e9d568ab322d7063a0bed727afc13bad41517309

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
6d055ccb070886d82d578065a9b7271a

SHA1
cda1c62c89822f89b889ba192d55316ce8eebacd

SHA256
3b17827fe60f92adf83b65c5d82472a2aefa4b223fcc2551c5df693852ebd6fa

SHA512
52733bbd9aa0dcef5fe31c976b036db4158bdac00598f2e5d5078c99442794706df4b63d9cb07c08abd4c95c0aee3dd3ed45a9d29646a01171ae6ecb0a546b2e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
05392b5798e28ab820158f710fe1d8a3

SHA1
68f657984aa2434326765df0eb630b781c37483d

SHA256
46a7fd432da17610df9b39eebbea0a7eef746a4a0ec84a9d336b61a9f0638ba8

SHA512
8f0181d0d12bba2297dad0e5f125bd1b2892cb7ca877cffb9e22c060bf0f3ce244d9baa82655a97100d2e6bdc000a1a68c8080a04c728bc83d4f9409a2751ca6

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
468ba0c4815b7d83cdd7b071af579b57

SHA1
fca5f46eef66a315a073d953223e6cd5f6e328ec

SHA256
cdb32dca2a6f247e68d5b1cd630c0710ced1543de18a532b5e2f24eb559ba1b8

SHA512
941b5ee41efb3858fb57413d5864444098cb9c49163700b63d21b48e7ed7cff017f63f47de5e21749c8a66e5e89ddb58fc0dfbcf97b4211eedd932e2416df4b1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b5660f4ce112abcd6d68d8aef8254adb

SHA1
81d8322e4231c263b1a9c33ce6cdc9b61ac18452

SHA256
8da2cc59cac7f923730e7b72417d1caaa5d81237c59d3f4f918de26e3b253e9b

SHA512
35460f2d25e109abe268707c933e2286ce5badfbf3f19788b1f5811b2f7263572c29e2f4297661418cb69bd7d4f0b3aba345a0f5b9832885c8ca3081c2d6fb82

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
a4ad90babb572b96508a3e79a073ca85

SHA1
ff11a4085fdb5c65c809bbd8c1d2055b063dac78

SHA256
a4a9e2c6818044694e93d8f8b33ea088b2a35fa6fd3076c8a32dac7a10a8ee88

SHA512
5616cbbf34542187b54040698283b989fc488c12867e6a1f6b2c39d528494b96e4061fe915bfa5f205d081474671d3372364c5098a7d5607b9cd29b2ef88e4ef

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
733d8f9a68c3c432e8178ab1e8eb7f25

SHA1
092ba933ed9faf5731a084ceb47c3ae0aa6c34d5

SHA256
f3e1466972f01cc5eea42a118d1b11d559848ec97fb7c2477d7353d6e9df37b0

SHA512
9b092eed7f010be2f67dec3eb5087d281cab5bfaf46fcea79a97d5122e69939222dfd979083905f9a3c839c0b35a2493411744efec96afc8985ceaaf146414fe

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
74fa5950423c7b4ecaa80c141d1b7eab

SHA1
e67c60ebc297950967cfde52b0ba12c4185f612a

SHA256
02ef8bf265d276cb002610219dfa13eb965af6d10cd3cea8573ea5a39cfb1956

SHA512
f07a84740ddf39ceaada15e653611e3aa7f9fa9df31d7b1dbc2ae6093e9a0d4624dfbeea8c1cec85eb418e19c310ecfa3a29d9728e08ae2d5c3fa2108a4f218b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
5c5fe1c5be1b479b4c893b3801a78ecd

SHA1
6ebf64a44f36dde2035f511312019dd29f1781db

SHA256
8a382b7f12217cee63e418464bc9efcb108f189254915600175d07743a6f820e

SHA512
22d78f21b833a3bfe3ae076206970f00a7ecd4883d6a22c537f6087def7e21b3ad7ae810fd682f06892a6e13c6fac2551d5aa9c223aab848e58e7ce146d29795

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
b2e811ecd8dff7d5162c37033e622bbd

SHA1
d2c9a1275a735e96a19fa790af448824c81ed410

SHA256
b76f2d565d24ced1af412853158600ae6fc88bddb5c4d546db1be6e59cae1d1e

SHA512
1b3d9c198162559d8ce915c0fd7928fb903384829fb85ff7ca9c7f4dc2f9dfaa356c9e5aabce1809759433e81c2ea768db35baf622b782306fa9e4a60cb4f1fd

Download Submit
memory/512-130-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/512-250-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1472-668-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1472-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1760-666-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1760-189-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1784-672-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1784-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2168-227-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2168-115-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2248-567-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2248-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2436-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2436-669-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2740-45-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2740-39-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2740-53-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2740-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2740-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3100-203-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3100-92-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3364-156-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3364-479-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3392-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3392-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3392-60-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3392-54-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3396-667-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3396-200-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3448-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3448-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3448-91-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3448-20-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3476-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3476-561-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3476-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-118-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3936-34-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3936-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3936-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4160-76-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4160-84-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4160-89-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4160-87-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4160-82-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4240-127-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4240-230-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4372-141-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4372-254-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4552-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4552-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4552-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4552-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4832-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4832-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4956-255-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4956-673-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5012-350-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/5012-0-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/5012-72-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/5012-8-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/5012-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/5100-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5100-674-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download