0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
Size

1.8MB
MD5

34c66788459de7bda0852bb9145a1b3e
SHA1

dadc2e8ce22086d70185ae7329243bdb63f02d31
SHA256

0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076
SHA512

38d2c60964b1f7d305af6ea80102e9ad0a8e4ff26b343a8be52a3e9d1e72bf1bc59084c58fda0c671d27fa8f5fd4ce199355bd4943791709db416efcb705ea8e
SSDEEP

49152:ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAVG05SEP+qJlS2:avbjVkjjCAzJWkEP+qJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1484	alg.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4896	fxssvc.exe
3012	elevation_service.exe
2388	elevation_service.exe
5024	maintenanceservice.exe
2704	msdtc.exe
2536	OSE.EXE
4316	PerceptionSimulationService.exe
1592	perfhost.exe
3636	locator.exe
1440	SensorDataService.exe
3056	snmptrap.exe
4544	spectrum.exe
4692	ssh-agent.exe
2060	TieringEngineService.exe
4772	AgentService.exe
3424	vds.exe
3484	vssvc.exe
3532	wbengine.exe
3976	WmiApSrv.exe
2960	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\locator.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c145b7fc43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\System32\vds.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\GoogleUpdateSetup.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\goopdateres_hi.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\goopdateres_et.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\goopdateres_uk.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\psmachine.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\goopdateres_vi.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\goopdateres_id.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\goopdateres_sr.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3950.tmp\goopdateres_en.dll	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce9a207a1b97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090ebf0791b97da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099aa14721b97da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000470cce781b97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a0b36721b97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064d11b721b97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bd1d2781b97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae62c8791b97da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4b91c791b97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054381e7a1b97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009af417791b97da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4776	0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
Token: SeAuditPrivilege	4896	fxssvc.exe
Token: SeRestorePrivilege	2060	TieringEngineService.exe
Token: SeManageVolumePrivilege	2060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4772	AgentService.exe
Token: SeBackupPrivilege	3484	vssvc.exe
Token: SeRestorePrivilege	3484	vssvc.exe
Token: SeAuditPrivilege	3484	vssvc.exe
Token: SeBackupPrivilege	3532	wbengine.exe
Token: SeRestorePrivilege	3532	wbengine.exe
Token: SeSecurityPrivilege	3532	wbengine.exe
Token: 33	2960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeDebugPrivilege	1484	alg.exe
Token: SeDebugPrivilege	1484	alg.exe
Token: SeDebugPrivilege	1484	alg.exe
Token: SeDebugPrivilege	4196	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 5464	2960	SearchIndexer.exe	119
PID 2960 wrote to memory of 5464	2960	SearchIndexer.exe	119
PID 2960 wrote to memory of 5488	2960	SearchIndexer.exe	120
PID 2960 wrote to memory of 5488	2960	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe
"C:\Users\Admin\AppData\Local\Temp\0dd760ccf9290ddb46f4c31eef6e2eee4ae3f69b9be99d1a80c5fd95bf32e076.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3924

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2388

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2704

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2476

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
93a0e20501c6277b55329071a568065c

SHA1
240bf2125f5758f31f2fdd58b3d80ce4c295880d

SHA256
9d61789f0de4786144f06946fbe0bec862c524829a4d00713e3ad05ea88bf991

SHA512
cbd0e4b1b6cf2aed76026e3e44cc9bae39434105b53c9bcbf5f2e0772868307eed9eb4f2f379b458b37ff9ee54da0f7212963a9bd598a08d24a406e8f73d1969

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
20cd46cd12a061287a1042e9856a9047

SHA1
407fba2c9dc298ccc3888008a80c66f287067a4b

SHA256
8c514537504832ee736c5a27f61b8dbe5c4247cfc43748d928f5901f86a4873d

SHA512
9c038eb81eaaf6a5599ca6037b6994ee89f8f8bcfadcee8be4af57e5b09212dfee6c76ad6c25a9460dbd790f38b72d86fada756f0e97314d7e466e2bde298e07

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cc52bd83748e2f0256beeb613fe4eb59

SHA1
941faf0fac1e9c1b41a378918441850af3b741b9

SHA256
91d93ea4a9b0e5f6c6a4ed81ec1a19470368f85418a0616d6488e4a56ab08548

SHA512
4bfe3112d545d69261e047e7e2c7395a903a656ed511cd5873559a09ee67a19cc49e8d679f5a2c49e7cc125850da23ec88d8a01be67d07a1781950efd43a1a22

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
95405e44feb962ce61de5fe2254e9c17

SHA1
780bd06f2d33a6e2120db4cb2acef2ae458d14f9

SHA256
c1ba2d5cdceb9533a24d3cd69271e56825b97936d8f07ac7a81a3f9d1e4b5b2b

SHA512
5e9c43ab5d334ea309a32f3f3c008cdca1e904b1d2699bab6ad753b3071f5b10bf7e7c99fd7a30b075ea2fd767cefcacc62bb7e6a88cf1f2f561ee80bd1e49b0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
60d35985ad68ef025ef97a70a462a4d4

SHA1
544495d1479e74e0d25235b7c990ffdaed4a0429

SHA256
882dcd66c1cc23a35f87f11d418a09dc41a362c66d6d6ddff4c32f3b6fbda34c

SHA512
eb5a10b61c7dcde5d1825174284bec4b3a7bc3346b9dc34283c2604e3677f1d3e589330874d17aaae62ca96138505310df992072cd1c8e99076c94e5e4602f90

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
920b6cafc21fd80068e1cab62b1f9d6d

SHA1
6dd0eca134d8759558eca4c21fdfad9f353f4f1a

SHA256
457ae292445047f201cf4ec286f50570524a64e3453b6054b46c64fd12877829

SHA512
5ee9faff14fdc5ee90d36fad2070706040f7bd2c9a040900abf5864002b58382204888958fd6e06993ad3f0d77f7fbf9842bcaeb125824f9abc29a572052171e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
617aee05dc054045376333e75610e8bb

SHA1
936bca6f0e757f2ffbedb06be487aab1e8069f49

SHA256
215b06dbe48e0ece608e280da9809b9ac4f3e192cd8748d702fe9fa869d8d5aa

SHA512
eca76f8b2f2c78744661c03b21a1a5893b153c969db39991f4fc8b15bd4b2018c1152a2b1210d68bb2e1f47da44e341c927d65f853db3487d07719ae178383df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c05a7f387af56752489e5874ddb85027

SHA1
3ad99400b3f5992bb4129b5bb35cbd5568cace8d

SHA256
4e1d26adcabce914adff4355cd495f544ee6d767aea9826350fb12fa738f8832

SHA512
414f1c53bc34453fb52b5751495c4416a6b3d609f794b303e5adbabcd638b1b04b911fab450e1bcb2c56b6f1b2d302824b8e4ba74950856b6eb674365f5ed767

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a3142bd3078482fda64af6a442406cd7

SHA1
8507c966f878ca8b17f2c762a5926ec23503a7a2

SHA256
de15b45387c18bc5ec5909b28f85e382ecb377d8afad312f49eb0620c81c021a

SHA512
cf292cc2e7288e28063a305f882d40d63a89f39e687978fae5d00e4d50f4f6f7e16be2e4c3217b4b4f964b40d4758ae2b14ce41dbf238efd25228cf6e350e5db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4a01050ad39fb9803aa377499a6fe466

SHA1
e386c1c63a699decf1f38e657bf71629ece410c0

SHA256
342140c545eb0c06a49c367030f223d1a8099789f8cadedb6d2d5440295546e4

SHA512
990cb54dbae44238d7e9e0fdef9ff6be1801dbd02b59111d3b1c3ca8ac08beb68d6e6ae7348c834bbd42385c7667d69375c6509d8e4c1fc0122169b74a9d59af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
df3b908ddef1dafd54257d928d95845a

SHA1
c37668efb3e1cfb1dde5c14da6b14af22847fef4

SHA256
1003ec5636661d80d140dca1066cf2bcfea5c27128732383df1f0b628b98c113

SHA512
259303d68ff5ae3eefa8959206ef0aca432eacd338f6caf13ab513336c2e268ff13d3655b7dc57a80cdf3edf41e4981895e501071812a19d0db5e93a6e9da219

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fcc3ac8bc8e5346189abd8885eab990e

SHA1
f7b6ad9fcc65e51487cad2854e2371f0082e5c5e

SHA256
71583d5e5c841156b69237eeaf6379b446e89c3c29803429ad12ab3681845047

SHA512
4fc9d8f2da6803fec17c6aeda64c871eb1f6ea7bb145a90eff5b3d4a384a21607c2079513a9c66592186571eed6d10df1eacd0bf8d47f2729378cf773db18ee8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bb61dbf1005b5415d165498065b6edd0

SHA1
b27a4bf5fc0e50637b73610faf4c196db3af050c

SHA256
79b19bd1967318cd7f580a502c41319aa4c566f89a41610aca1054aa278fc44e

SHA512
649b7dbf5e22bf23bf47b8b189c1c7c3f25e96e6c92d0cc732ab4b9ba3f0ddfc2dea4900956b30f860cceb27a7748e397c38a423c2a5af504c7e11ce8f9c0b11

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b9e5b764e373b7b6ce205fc354b1bc3c

SHA1
0e8b1c431476184ade7c7e138fb5aaf4b84184a0

SHA256
884978e166b8bec759baa0c7d7c91f468f2c0d378178fb118b98e845577d2699

SHA512
5e8f19e2c53e252f5540feb7e9532e9dd08c9f3c44fe38fafa44e726ec83a10ff76bf5f0e51178d2b62512d6d0fca1f64ae5adea68fe450fc1e56da265880e4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
99e866286e027baca37f073a1328dd92

SHA1
b874c9b9ede03ddd2af4c31dc079e671a162879f

SHA256
4ea87b913f8be62da4c53b6eba0633d59d0297e3adb5e50d5306ecf1dec7a0f5

SHA512
bb632b446f61d1641d4e961a0fa36bbbf8310cd227c69be8e96b65c59312f2496a4c0df88c98d3c955aebcb56e58c08d4048db002ee1c9b3d66b702bb437f7f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2577b83bfe8ca9086639dbeafe643be2

SHA1
33af7bc2c07c2ff442ff3a3a7c11f9c6e314dc59

SHA256
cdd3e68821c8e3aa7c7d1a35b4fab66b9bcc76cfda2bc4f0ed9154036b8b0b3a

SHA512
f7c56d53cf051ef93ba5355c78ee54704080923c37ee8f7fdb96b685fb65fa5865958b466f39f9e6829f07d1af48b34e4b7a9bc66a6dcb91dc607b647710a266

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
37b0bd66624a71ccfb1394dd54e26299

SHA1
dd5d4079ab593a5e352e645c649f09859558391d

SHA256
2fb4f6ed284c930cfe393704b0bd1cfbc98c8a9e3d6b87bad9590d4acc7ce5ea

SHA512
7a25316994c7c6f5c0b64da61e31a2ad1c12df3d15f657fbf4ceb72e405223d68fe36fc7f9786f232302e2394f8ab3a645646a83221ed10a4042e584c8e64c60

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1c90f0835a3222844e3653ac9d84d542

SHA1
a63bda1440cada4fae07c5993b9a02f0352136a2

SHA256
a9a997cb6df5db41f724fb5aba7ce972ecd7cc855aff9de2ff98764d0781ae2d

SHA512
38507c1d5b1bf3150a8c2452dc192cdfd2d504c0c7481b043f561499553ae21d44f7f816ae2bcb4b135910343c94253efc86e27504f099fd23ad95030fe31596

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
968e419834b6acac88153b75f3dd4ee8

SHA1
28072fbf5f852300a1d2d913e1e78efc60bdd9e0

SHA256
b4be39ac1b4057988a067366f81e9be6a91682fbe2908c158c53857f787ac29f

SHA512
009fb4c92dcbe3c69557f89f601abfe76d772d7b496c09e09a4c322fcfd7fbee4622f294854f4dcaa0c0bb58c4af85589bfe277005592ea0db3f9f1320569f75

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
10b43e63b4bbce7acafde6f1df42de2a

SHA1
31f60e2fd2c83ef166df78a3ef8c30ca72effffe

SHA256
f3d2ecaa59b503513ec586e934ba9c8eb1b9ab264bb9ef200688137bad7164f0

SHA512
8221cf7312dc567f6263dcc8277eef0814d2a2f40ae3bdee206d230c5213536e90911f560789e685c07e93b471ea1a4e0c3a01825c6dda5c33746210378e0726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ab3375205dcb98e6bb6524ae78fa7c27

SHA1
39dc17492d64540c565533aef80acc7b161213ff

SHA256
7a7e4a67b4d02aff401fd7682973ba855a8ae327c559b002ae32e13aa389c059

SHA512
a501be273335aa0c2e9296e84b3f14d21ef389656dfa7993ff26c0973b465d7564fb94c675ef5687f652de3f68db5b18728a06662d80a809ba8b6864418db34a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5f7acb92c5def8b2640bf861a865e882

SHA1
06f6da85818affa436452b6434c6533fff236f53

SHA256
873887b45726ce2b5072d7af8a5e04ef5d1ff6c477108ea119a94cbbd20912f4

SHA512
1f137d88427fac20605013a9b2c3c81baa1d0818e3305b12b7244932ae40eb560fd4c3ade4931ece1b40e7d02d69aff325555e1302a81556e30f3673c4218955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3e50b1d580b7bf19dc1a2320ec2bacc9

SHA1
5074141d4faccde6a790d056817a357eb04338c3

SHA256
cc7c5cf372900187190ee25fc38bc8b58b734879c5b928a58fa1cc5f2d4d1a8c

SHA512
119790753901949c4b14950902dc773d6e98dac041edca8c0604e4e51c81f31764fbe40a99b4d4b696cf19ae99b57b3d2de47976f267643fed43954114ed54f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ec947662c2615673f9b4def23ab576ce

SHA1
0bfd990e8759cfeee139f34535237785334b4e02

SHA256
3191808a2ddb7153c694559824766732910b855014f63381aa825c35f76a3773

SHA512
77fb3f518b95bca86cda06cd90842fd1b823ae9fb92059085c1a9067ed9d58c03476b2a102767ec341c55b8c53b137dbc8a1d5da21adfaebafb819db296431d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7a7333e512a9c2c71fe833b75987bde3

SHA1
0d9e49ad7c00910fcf2385e28ee70f2a5adb043b

SHA256
a1160de3dad2956fe38fb716ab686df3f796eae950cbc0b69013dce8b8e3fa02

SHA512
3214f7828a28d8b2ea81ad16c1f2175fe1839c846a1c92ec1cf9f2d86cb65679cfb20ed54020d290c2efa03ad1f938d542c73ef21f498ac555234546688e0e16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
0cedd4e64f0148eff85d5ade3ccea19e

SHA1
5f92df9a2aef6647d2627bd806ebee5e6141ceb2

SHA256
c244c4c21f0bee1ef328c88e67ac6ea87dba87d9438b91f4a3840bb9e35badfb

SHA512
c2fe721fcc39c64392a737ce92847f1ac6f44f1d30883bdf2973673d65875f22f3a521b0fea08a71823c7087dda8f2d12f1b3ad1821ebbe4fe0bbaa613c7f0e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2221c575a0bc221925d49ff2177d4d52

SHA1
8ff5bf6fe41e31971dab068f9c7e9f1a13739105

SHA256
f18bf6070020f2afc3dfcff5690183e2a2abd6bf88c25dd20a2f3acbe9e1b5b5

SHA512
fe8704fc5fb1f9755dc41b6e47738cf10db0eee8e04433d395f09945b96dceabb0652732b4ed32484166b3ede43ebd572258ebd8a8b74f3ccd3207de3fb5b7b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
29b5a90bee1626321989a8d5797f4835

SHA1
1162a2ba7eca4c0dd0510b9c3e0f5542d052d76f

SHA256
682d58f90552e1b70f9059e88c1b99d64ae5d5eaca80b8d5d9beebcc1ce5ced6

SHA512
56df4ce80da808f70a72bc6f17415487a1eb6cef8c03730cae066248fbb77db43bff3a63bf9380ee4dfc7f130f2b555b93c71e46d86713509b6b5ff648cac3e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
287433d13c04dfad44d98bd4863eff11

SHA1
6f8072182cfb407d207617d5f54ee19e62fa338a

SHA256
ea8e3e4f90389225baa2c2f1c60291889da1769fd54b5531b67f8e0529b3a88c

SHA512
3994fbd675c38186dcf45b997b41511d31844171fd73249e3fb7e55c919f18c08e53f140339b50134fa876699448baaf9dc9dc865ec452b9201a3ff551a6b1be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1703fd2db63677e8991c0bba85bf31f5

SHA1
df7854a05c9f1f049adf928c05321b722c83af4c

SHA256
0dc120af8dab26a143a3be1d05df143beec15e8d56bfe13190fb9cafd1046d3d

SHA512
9321dd1a78c038f29b8882746e91a75ccc08baa9a5cae906d25bd9b64edb4f61cb16cabba4af32d537179807afdfa1520ed947e7a213fb340191bd9b52ce3616

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ed17705654376d05f542fac87e02728d

SHA1
0d84c86e796f1f29b93fe1e4d44f5dbcd3e36590

SHA256
0b777c96e9301c5bb2c29b159d88144d3ffa6d36f9c45c62c0cccb1d883dd383

SHA512
71014054dc039cef20fff5b2d617df01779745b0aee56cc9a602be043c2b0ed0324fa8f629a60c3b57ca92b1ee9450eb8fadc4ef4f03f825682cc061db6aff54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
21acc26adbafb4b43cb04fcc3e1b16df

SHA1
722dd914277a075158dabb620bace88234197806

SHA256
e6c21cb20d8333d41804dc60022632ffee6a877d78778a6d2371f7f66b5290c3

SHA512
0f7b3ea500f483a446365c8bc0bf6e313f3ae8a392c5da5b1944374124358a2b68dd2163ce2f36d7df2d90174b635bf9d026ebc6da8179add601ce5db24e070e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2932663c649f35f7f3956387858c6087

SHA1
9c7640d887b8df385587dd86f13fceea98f62a8d

SHA256
d8d67498a28b16aeed269b8d19e26bfc35a1a4549673fc23d8d01c0018386865

SHA512
3c86da11edce671e982fdecdbe287b69622b572e6c040c3fd07485cb67445269ac9513d97bbcb0509976578c3630371565934dbb4b547829ca5b602572f6ad2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0cbaf7a942ca7b5f9c398e74526e4368

SHA1
ba94c35d9a19edaae794cf24b6e5ad9c90d1de41

SHA256
f91fc47e2c21b4e6c841aee30eca82b49b3a0ebb49413dde07d87d5899e3c560

SHA512
7ced4bcaa92b60ce6c689bc2ea867c3b9cd9d951ca4b83195e80bd67b419ef16d3b0aca34b8b670efc6995701bd68d1f440b5b85fc2094b2ec178c45d998919d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3e8939aa4cee4c441328c7066fd80c9f

SHA1
4674b44b2f7898b53cb5c46fa08ff409704b0c04

SHA256
ee0e67b80987fca482aa4cbb5fa04d077c50fd1359dde638c76908c9b028da48

SHA512
b6e7afaba3e0199bbb8e6814c6f792ff239b03aa6ae9c7d197c2446e1b6458f72b19fcbacdca86c8e8257b2bc02a1660fc42ec253276ebc58ec1386e94f9e211

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c94dd9a89dc99a2b343aaaeea1d1a4f3

SHA1
69d50f1972503f1cb572194009b7502724f37fa4

SHA256
ae28c4ce114dc76971ce58205f330dab273c03000dcc31adae88f9d24f19c068

SHA512
4588dcbf66b7a467d2fe83d72464d4d51b6066352623fd83d2fbaf3e0f757e3e947df457ea32ed6858adf7dbdc4404a4bcc2895d4359d75a2a62216f80f811ab

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ec8d17202aa67745edec9c3bc8383e6f

SHA1
8b4e5d0718ec8d19ac6582526fa40d6116a7bb8f

SHA256
619709a6b1dcf8fe9dc0abb50dbb5e427bcdd53f16e9aabd76e5c6608ee188d6

SHA512
ae66e96becca95b19d356b1dd46c9d1d88a244221f19e0d0a76adedb1858a883fe092ea4e89c49f37012342c2f9c7d7625fcd7b74e618a501262d4939ffde479

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
50426c8891b75744790ddebd71c4e997

SHA1
ea1175f18f7ae0f8f01ed924a685c72551bb1dd1

SHA256
95474f96dff0f0cfc4e5d1eca4a5e9302a4319aa450933fc7a1501df7dcef6e3

SHA512
a1d80ea393194b56ec38e715d1f745ffebb3eac7f208541c8a50aa634e4f9aa123576323e0f2df39e3a0b7341516292eb060328305063474c92b5d69f78f9479

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1e352f0f807177a4b8c7f624607909e4

SHA1
4351d22d63c78543a2d93cf46055b29e04be4838

SHA256
fa5061f6b35d513e86877f2bab7994947cca3528455cfebbea4214f235936ae6

SHA512
1d16c54e3407b7bb4110393e2c029ab3870d6f6a3e9f974a02836f0e9e38d948b39ec964911b5e9883811cf54670042949864b23cf27f1facbb46eccd01fe6c8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e659f8e07402b09fc24fbc22e1bdb63f

SHA1
18f608248a2dfc3740dc0c64c87bae1bc7b9953a

SHA256
d18309050c18ca859cd92303455e443181653c0bcda0e6a29bf5dd7d98b68b28

SHA512
65751b6a045d444d2c57948086503a6ef1c7d1ee8844dfb20b1d3aff414cbe448e8b2316070802b8217cb8758e016cefe83762a57a3f6c2fba34b5359735de06

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7a9437fb173dbf0a30c21007f59ad71c

SHA1
3205e75f3a6ae310703f1b2a9651dc7577c85ba5

SHA256
bd84b027dac419357657d070134da386bba46547df2cbad1800e2f4be0a2ee5a

SHA512
92dad8e3874ed03c902fa775302b87c4fb1b2e1389b143e14e955f942355bc9ccdfcac8a16b4aa96c5d6c7d94a92d7fcf87796c982f53e827d284962bcacd822

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
af0627f21a16952c363375c64f55c82c

SHA1
57a57330274ae13f2d9b1f9d96fe6b6c1937b309

SHA256
ee63779d9d297f5cea2a859b36a07a941162de2060508887fcd518a7b9a43abe

SHA512
36d0643d683b757efc5e07bc8e8c0e7f5aaa5a8f103120a152b8237b7d15650f6e2c21b2467737a52cf0ef4e75fc659fc8c1bbc9fb1106cf4b030fb05b8f345a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
42509dac3751a9483bbce28b9ab75a76

SHA1
4d1ab81bde50f70a7935755be41b8eb742aaad94

SHA256
a5a98c0dfec1e38b0a2248b574ca90ec72b97a74cfd6063e4734b5d13ad31018

SHA512
f2ba8fc7c6e97a5a256b62a1446535427320127e65d23f73b2f27e5b6b21117f45bca09c482367ee42d61554d356959832e6172937e03236d21b42029f311b16

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
36da75e02568922053cf5a7b1bf04399

SHA1
000f5db2c6853d0983307e6938ead3779fdd65fe

SHA256
367f9709d4684b8d5be8f76c6e227c31330c9ac5d2e2bb69e4dcf1a07ea3af33

SHA512
73b10fa37d7885d5250324198ff0a51efe37a1678188aa93344881675e058422e7550cf7787827cc7d70563640a6a3aa528d3be2a16ae5a5805f32b7bd61f96a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a22125ef654cb75564ad43defcbd0b0c

SHA1
75469c6f670329c242757b5d09de051a7a991057

SHA256
b4da0a94690b78f9058fd05f2a7d7a107a0c803d11afddbee0ad57b4e05eae8d

SHA512
fe41710a2fa3262c58374750c12f0644ac1263f9dde538a6ac2c102325a4dc3ca188d7ad225b48579fc7fb111346132e6ecb2f98329a6ee9513f5245f923e6c7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b6b1366cd6e52e385cce94bd683cf790

SHA1
964c7c29d99c9f1d321bcb6de0a427b9cdf8ca93

SHA256
fa900b13b70ede90e06a52d561b6fbb0916b9f13d3d524474e9debfc7f05096b

SHA512
bb00afbbae0362740a3382f76fb575c4132e663f1b4d78c1952defb680d794ec4cd2e1d02c6cd29b09f67ad4707cf5ba53861b42e181ab6d6aa1a3e79eb44885

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
75d4eaf3a6522e4104033c3171e90af7

SHA1
91b7bc4d43f04e5435f5cfc8b01134f6458925bf

SHA256
2cdbb821894a2500dad6930e03ad48fd8aa73500ff44935fc2322eccb9431a70

SHA512
b80d5ec6ddcbaa2f3152008aa578e05207d45a9a62ed77917a1ce5049866afc4ffb62a6b6546fce7d4fac0c7dbba10d9c355db9235d886560016df012f44654d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c095c76a0f8826908a6f91baa910d551

SHA1
8c62f44c76f13f7137afc7ba41f3a861d9d641c5

SHA256
162a3c657c54616e03afb60f1394045e80e54b659c6633836f12e87299f64aa3

SHA512
b16b47bac160a7e7f45ec3171c46ce71f8b8dd674c8bd2e0994779e6ea1521ee31e8caa7d2ea3ce7f217b0743fed9e99a7242aa4704daa25e4e0a5c6123f984e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8db4751ff2812cfa6306aef649662fb8

SHA1
02ee5af28ef2fcc1752bb041fc1bec2c0530ae3c

SHA256
9c682ca2a6f67af1cd52acbcc70db52acdb0bd06be41d2605265ee7c2de9dcd7

SHA512
8c0c737acf6ca04d6dc37647af2fd8775c7c2cecb95428a74c505692d71f83e72078b4193b54aae4312c74e8906a7c9062037b37350291ec7644b66d168c3d22

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c25843d8fc8509d6f5279ed855721421

SHA1
225128e7b87689adf3bfd29e9f831a9155fde1b3

SHA256
364889b2dc59ed6d9f12f9c191fea51b10b71102c321d7f1e40bbe58246bb0aa

SHA512
3cc24c3900ec96d166ad4a56759912b44a61ac36ec60f8ece3ad7e160a377ad14aff9952a6fe71b5e3409eb40f412c3acaef8f11b3d34c8f8253632697827210

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
11bc351c21a7f8147d9a20905a2d6d37

SHA1
9e9a0f6173093196898c0adb10403ac685612822

SHA256
b2ef75f55856d1cc1de31ccbfe659fe209f8d4c38d776d1d9c67c7837d569f23

SHA512
230bb315551bd6c58ab74cc44bc682603d2819e0238a2a3df62fb835d27a77f53f9a8d98d0b9067d13cfb2c65d31c5446b9170b25fa4c9990c8d97672adb00a1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
46ea3e36a760c5516f294bcd738a26e5

SHA1
d2ab73ce2cdff0280226b75a508b54653dac73a0

SHA256
1d5877e37b02cfcc5ab2edb8f1151159548cadb2d2e6f37d90664cd9f3625dc8

SHA512
72813094bb9ea577504d1aa3227345e75c040281024201b438901882d1ff82306800099d909d5a7a6cca7470ff770fbe5c8c715e0b7d91a6ac2ec018d58e3cd9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df9c9c1e9a1343a180692cdef3b7ff92

SHA1
3eff6b5716a4aa118e487c6d3b191c4605c9b258

SHA256
50f6cadf30ed9a6336632680bcfa2ba9b6211e8ea3d70425c49b5efb698a1674

SHA512
22973c3152ff3bea2be9c9b5cc674c414b10399d8a389559e5d143e3e6e2b91da7514a3b09ab1ab115c18ed6fbc418e2ccdec2bba5701199b9734238d31d29cb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4e68feb4e82f53c2cac1c6fc707dd3cd

SHA1
e3175fab0f232211b8fe29abfe427d4f4cc73234

SHA256
6af221269537a719db26b5c7e7811a6c6ddcdcc4f0d286384e08b81431d043d3

SHA512
b526e895d781dac4122501b805eb75ed6063ebd66b8a5cb54e775a7cdef0be3bdfb064a626919331c0b8f19c2f326db72d54836d7f75622373da1f5f2becc89a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6ae4b14c701a22524cee15c3fb14f790

SHA1
0d147f93d0bc5807e762a1fc1f8527dbfbe07653

SHA256
3ff8d05f630f7b533126ab4ee3b1379c1878b31e2018a964cd115b1a4694d18e

SHA512
a61c4d0a258dce86286d1dc0453e2882098b176ad3f90b66fcf57bceeefcd2311b8602dfcddd7452053cb251899edfff086a5f6abd1164db33b0983224243578

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
aa71b64145494b73aecead6920d833ed

SHA1
f64e4d8d465dcb20eebd01457e7db53a0a7010b7

SHA256
5f87d778ab37556401e0010de57c9a21170033ad3abbb40afb6f4f0c43112289

SHA512
6ed143a89703ccfb5d996ba98319258abf72f05a0c3cfdc9d650f238a05e6b999cf9a95b059f627391b122a23788dd1e9b8c9d33a22823e7c8138e16c37c7dbf

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0ed5253b494727bcc171ca68915793c3

SHA1
621c758d0979a15c92a95bae2eba0154305c65ba

SHA256
ea670cdbbd2f94687e36660340c9a64e546ec4e2482e2217a8d51a3145e53898

SHA512
0941fdf580503310bf968fef4f5e2234ed2ef6ad5662b5912148bd3d599428d3f37bd670dd35095d6b161285705bb5924012ba8a639877b97c75ae53faab6243

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
de7d7866b2c9d0b3057b8e91b9f11840

SHA1
c06a0cadc8b1bae981794c396efc37ec282cd986

SHA256
b87897029a3be9721defa2729e51fcd3c671c40bc3c2e1da9a4d70ce6993ca84

SHA512
c4587fe5273c1ed5a02d91e0c2ccc40c79ee189564db8902a1ee58822b4b650991b4621e35ab20c12f5cd25c1b458aff52d218361dcbda5b6eec9264302a1980

Download Submit
memory/1440-671-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1440-227-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1440-235-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1440-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1484-144-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1484-87-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1484-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1484-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1592-203-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1592-265-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1592-209-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2060-289-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2060-348-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2060-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2388-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2388-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2388-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2388-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2536-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2536-173-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2536-182-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2704-225-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2704-169-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2704-162-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2704-160-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2960-371-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2960-362-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3012-126-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3012-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3012-120-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3012-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3056-309-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3056-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3056-248-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3424-319-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/3424-663-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3424-311-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3484-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3484-332-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3532-344-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3532-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3636-213-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3636-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3636-221-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3976-351-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3976-358-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4196-100-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4196-94-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4196-93-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4196-159-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4316-198-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/4316-191-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4316-252-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4544-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4544-262-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4544-254-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4692-267-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4692-335-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4692-275-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4772-307-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4772-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4772-300-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4772-295-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4776-130-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4776-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4776-1-0x0000000002450000-0x00000000024B7000-memory.dmp

Filesize
412KB

Download
memory/4776-6-0x0000000002450000-0x00000000024B7000-memory.dmp

Filesize
412KB

Download
memory/4776-7-0x0000000002450000-0x00000000024B7000-memory.dmp

Filesize
412KB

Download
memory/4776-506-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4896-116-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4896-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-111-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4896-112-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4896-105-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4896-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5024-146-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5024-143-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/5024-151-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/5024-157-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5024-155-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download