cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
Size

1.8MB
MD5

b5b3bbff8ff82a8b7d0480489d3ca799
SHA1

cc0fa6ee7eeccec68bc65459d6c9115eebfc6aa6
SHA256

cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268
SHA512

71661b2773b27212ff1d20f199cb5a8ac4301e2b207916b2a4b420a847512f1249b1fb6f655592579030a151d8cce8fa6c03c39c103ef8fbdae9fa265f961a0c
SSDEEP

49152:nx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAkaB0zj0yjoB2:nvbjVkjjCAzJyB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2480	alg.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
3584	fxssvc.exe
3244	elevation_service.exe
5100	elevation_service.exe
4952	maintenanceservice.exe
4944	msdtc.exe
1260	OSE.EXE
560	PerceptionSimulationService.exe
3028	perfhost.exe
568	locator.exe
3272	SensorDataService.exe
4384	snmptrap.exe
1884	spectrum.exe
4484	ssh-agent.exe
3636	TieringEngineService.exe
3588	AgentService.exe
2692	vds.exe
3872	vssvc.exe
3860	wbengine.exe
872	WmiApSrv.exe
4884	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exealg.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\697c3aee7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\System32\vds.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\System32\alg.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.execd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_fr.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\GoogleUpdateCore.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_bg.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_sv.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\psuser_64.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_pt-BR.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_el.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_th.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdate.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_ro.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31CE.tmp\goopdateres_nl.dll	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.execd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009acbf0d99899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffe957dc9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae7e0fdd9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000435319da9899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000778f14da9899da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041dd22da9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b2df3d99899da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e3f25da9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4616	DiagnosticsHub.StandardCollector.Service.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
4616	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

680
680

pid	process
680
680

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3524	cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
Token: SeAuditPrivilege	3584	fxssvc.exe
Token: SeRestorePrivilege	3636	TieringEngineService.exe
Token: SeManageVolumePrivilege	3636	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3588	AgentService.exe
Token: SeBackupPrivilege	3872	vssvc.exe
Token: SeRestorePrivilege	3872	vssvc.exe
Token: SeAuditPrivilege	3872	vssvc.exe
Token: SeBackupPrivilege	3860	wbengine.exe
Token: SeRestorePrivilege	3860	wbengine.exe
Token: SeSecurityPrivilege	3860	wbengine.exe
Token: 33	4884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeDebugPrivilege	2480	alg.exe
Token: SeDebugPrivilege	2480	alg.exe
Token: SeDebugPrivilege	2480	alg.exe
Token: SeDebugPrivilege	4616	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4884 wrote to memory of 3132	4884	SearchIndexer.exe	SearchProtocolHost.exe
PID 4884 wrote to memory of 3132	4884	SearchIndexer.exe	SearchProtocolHost.exe
PID 4884 wrote to memory of 4620	4884	SearchIndexer.exe	SearchFilterHost.exe
PID 4884 wrote to memory of 4620	4884	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe
"C:\Users\Admin\AppData\Local\Temp\cd921d279f3d413be5a5473a9e66d6a95746002b27dced860b97117ca09fb268.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3760

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:568

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3272

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3132

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
2⤵
- Modifies data under HKEY_USERS
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
12242d2699bfe5462a13a77fdd5b09e7

SHA1
8dc27f97d17a926925bce45c9598c300f855d0ae

SHA256
52c99bae34eedbeb0d853bee30ed45ca8897e2c12ced1549ee820d11af2b18fc

SHA512
8df7963f52743a897b2e1c4167e0cec5a969ac8847834c534f7df11cc31d86da04db8ef959627814aa90c204b3e0d4bb1b3fdf2e20fe3848a26450e512e2c22f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
7b096daf582f985f0e8d4ed9981169a3

SHA1
abf959e9eac7765c5bc35a53a78314bd275ee796

SHA256
f1b6e6f719a6ccac660476e9d90cd59f381fdc1b199ff2c0c06298902320b4b7

SHA512
72a742532c02ef14209130e743d3ea6ba5f3ed8029b33e02985ac6400ffeff0c2399c5e08e7f3054da37c246ac12e269f1b7ad6f31ed9575034106db24055469

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.9MB

MD5
2c1c73e5e9d73f47d6850872d99633a5

SHA1
d2196b39b3e454ec58000832f59c5a70b055a805

SHA256
8d6043e998aa5d1f7cb2d850ed0d91a8bb1ae27e312df99533d47afd67909d97

SHA512
f5ea2a53a693e71db828d480739ce32147f5d6d52c79a67352aa551f717ac973f76be2556ecc855a518118f2f92aaffa167aeb8e668ae0c740e50afafe1c44d7

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
76b19fa57209f9076f237bc5bf838b22

SHA1
fbef38058d2e2cdf3b9a25e000e520d35acee793

SHA256
50e3f3341f21d7faf09ca954f27d1ede876dd58bfed538fc9f751b5f04091447

SHA512
6f0b1240fa527d8f272f40079541ac10a13239b081c4865272d91860c58cf425080d2e81b9c980af7aa396a650d21eef325a10729805c3660d28f00745c26e5f

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
7a1b50dc08a1d9e372c206dbf4a332e7

SHA1
03f2a989e8835a2d6d4df924d5de9a446c74a4ac

SHA256
e492bf367607b27e19de91172e00f0ab8b9db0f87168729f2af439bf78b07090

SHA512
6b91989e5b59fdc0c657c696345b2ae3e90beed66d57b5db35141e667d8926a7492819a711651b419422f91ee843fac772a73c6537794ab7e7f5429aacf806c1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
b67b41fd7f62b74f5e8905ea748e5348

SHA1
9d67fbf69877ddf82766d85f3099d1bfed318145

SHA256
90e46229fd3b7e7e59eecbf9f79b36f2abc73b6274709898a65bc2bd71b59389

SHA512
83cbe75abd6193fb5a17d473f0741d70026c313a2574a500e7f135d3fc4498019055d792ce2ead01b259844a49fef1cfe2bc61806a3513e285efec514cd14028

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.6MB

MD5
afc615b6862bf14b1d4e499176a03741

SHA1
f40b0ab8c5f82709356dbe2de19581975aabf5fc

SHA256
8ae2703cbe4cefdfc524fbbbeba16d0496a315fae533898beff45b8fc449b36d

SHA512
8df7bdb85e164d497f3d35670c204e1f9c3bb4f749f39017e8a0a109ab95f18bc45e494857d5bf99dd0ea159f427f68a822258e4e1f576d791467f3eb034be22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e2ac104cc71e00e7a44408248a2ee3f2

SHA1
e87430aa7560957bb49fd030599435417650f5b7

SHA256
4d91f0220fb57d6dd8049e567d42c5dba0e95ff0c8a3790d0396aca5a06479f7

SHA512
8542a55e85688f0f953dd7cc6b0e8937073457557dab9fbb4b61102b1bf62f2ec83f309406002ca190f61480ee3a91def47ea8fdc70c9db8b1da691816b9027b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.7MB

MD5
c3779efe136ecd1c466f0662f3bcd023

SHA1
4f4f62b554fcc2cad711281ea06d7a3cc9d0bfa4

SHA256
d64fcc42fad82198b9226681f2bf6f3aac92be8d67d96a27b700de0e7042e9f9

SHA512
a4f8a1c50c533b6842beed3940e77fd81e59cc529b659c1f950ec80e0a1d9bdd7ccf4b4a6a23bf476e589586f03d3ecce37e17e55c60e1fd0ced98523df4911a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
fd83a833265abbbcb66a5f07b53aafed

SHA1
886b3e245e5e56860dd3188c2a1ee33289465bbb

SHA256
03912f945cf97d73ad5045ed292b41ac5166e4a8560ec55bf30af2bd075e9ed1

SHA512
90f7f6a1155f7b5f4496fe64108efbbe9ad3c1f93aa3e222f3a76790f69f1bc895f6c34cb3f675e75af2954c0fd54fc770cbb0c26a0e92570e243a83a3251875

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e5e5cf2d5af2d7255183917876b9a6d7

SHA1
e2b9ebf95e133921fdd8b8ddbe583b79060aa5f6

SHA256
1e8392c87e795978dcc7b9a3fdcbb66e90ec7dea926b86208ff1da6481171bd6

SHA512
7009a664e24001bbdcbdb27f50d2a5515f11dd93ac2d3d58cccf3630568ca99d5cbe7a6b2078d7bef0529243243ec9d43507ff49eff62b6bce8aefcabfd3e1a2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c666fea6a21e32c82285acf65bc3c2de

SHA1
77f461c2fbd6964833ec494c6c3e11e1d0ebd12c

SHA256
60c09c6790653fd8e052aed0a018d090c23017affb2ec56969c0247b00042547

SHA512
9d9a7e236460ed48cbb9036bacfa15ee1140abf163d14eb4f9af9a415aad89147acb3444daabeed2765891dd40dbb9fbdc3740862468ee19bdd6554a18d86260

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
1cc32e130f4bc31cd5a3fb3dec221a06

SHA1
03a14a1f998c4f19fc0d4c51acc8c5a0db4d2772

SHA256
337e38a01a040273113323dee33f2b5816189fbfb27ef584b09cec9a446c079a

SHA512
582bbddba60451cd8268eeb56251653db70ec05efa89d63bf955f8a6b132ab83f5a5439eb75de44739dd83a28f7ca74ad8f15c4b1c6e40225d8cdb1fc06c3569

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
e493fd2412206c39cfd7616c3e9e836c

SHA1
7588dc563697576b3aae6d5bec3ff0baac42efba

SHA256
dbb8d181d6e5810191a3823fd48dcf79ba642756fd37306b602e12465e24a42c

SHA512
c67bf356cdac65cac35061d2fef9c35bc065b4256aac2bbe2e9e5561419465aa4b9018bf926abdd1b30c8499f86bfd44a5d7becdad7cf8832d175df667538bc9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
9703db43ca294dca952c856e181fd7e2

SHA1
6486d3a4f3c449aa5776dab29f4180ff46e820bc

SHA256
73e2cf933ad2f9f3715e6b41fe7604219a3aff6fa3a202fc329e9ca24d8c0bcf

SHA512
188dcf175a6f60462dd4fddb87e580b39bdde852148bdd31818ec610019fd5eff44dfd2d74ffd778dfc8e5c69fc5b09c9d18ebeae898149339a7c10e1dd02c4c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
012a27636e75cf821cece5a08cdb0f7a

SHA1
896b4d984f67afd0512a97d6f017808480d1d28f

SHA256
33a9e02efc0f9108643de5767afe85818842652900b2235a1a967e090df68a2d

SHA512
b6d041c55ad7e552711f760337925cc340bedf88831b7e45e9fa58b6dae034320347c0efa0f4c955c658f902a6ae523305387dc025287938093945994e8dfbe0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d869474f9165fce1f814bb920c25c011

SHA1
ba48ba398087b6ddec6a34200cdde9ee19a7541f

SHA256
a417fa0449c44fdf945142739ff072884ba3d3a4c8b66d1594930fc92ab09fe9

SHA512
f51aaa954131ab7e059c9043693512775bed6c9cf720eb73eebe48bd0f6cdfa5504f2eeb88cd6eb1a87c92b4ff8df53e28f58382e4a6a63ba25928f665ee6aed

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
0988ef7d4bcfc05428ee508daf908312

SHA1
75078916a0c2df67edbf3fd0a3ea6984daa2eb7f

SHA256
e6915433470d39af10397c4cc4ed53002305ca9c7818d1ec1f84c30fb37fb3cd

SHA512
07ee887cef2bc465c1770bbec8346555f4d6592a3e5544acfa4e4a632f813f68901cf2be012a9da3e8acfb320a9b6bfd45159f804968ce6bce48b7fbba6402d7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
fae6854c57a75892e73f3201003f7548

SHA1
34b29b2d77b655e978d3dfa94ecf5dae764b8030

SHA256
d2dad4f409ffd6198952af4a8693c6dada5df034ca11e90094a43bce901c5887

SHA512
b20ca1ceb31852a1e78ccacdc33f9b37e5e0741e640bce259e0c07713ece8f508e4097e9f5a8e522a668195cd52701b2602c3567bebaf7914ed17b41b4672d4f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
800c7dd467f05465b264deec6967c632

SHA1
5e2dafd9c2c0154d5bcb4b5147d38b04d6f213db

SHA256
3f56ab314e70999d5d79e05fb4b2551d181c205e4f893c4990245a566590c873

SHA512
14d29a21a4b7a6b7abfdc3071ea6088b14af2264abdc68d70da83f5ad272b7c00304649498feaa91988344c64c5435f3d8570e220cf18437074514b7468175aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
0c8e8bacf39bb15fb44d282ab8dfd45f

SHA1
ba1bf4a1535c6a1ece56ad900eb0db14d0dad4da

SHA256
846fe1c2b3b96a3064ac700d962969af2a5a194c93f4ae61025656c1efc0a177

SHA512
17283dfc9a2df65892c24af7de97bbed6f178326014e15ed89d924e5d618834e782c3de74d04c51d0e4c59f931254f4ec029d6db06a80c0687cd3afad8c6a1fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
3fe8776b08f9e16f867dd8e3bb1e5fd0

SHA1
d70e275fd1a07ed2590c16121388cd18e77b1d4b

SHA256
893803173e8b570ce634d894fe4a6752b4f979d12cf2623c92231d05e1ed6988

SHA512
60fc3604c11e8ddb43890f9bca478a4796d555b853416aadd68abf054e701fab96f6378be330b23bad07f0023e3ec0a5db312cb6a73ea4e79aa15fe98a3c2a6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
8441d5c5a98bb6b7afc42593827a04cb

SHA1
74c3e38a1e7fc961e022a27a45a29c13bf7fef01

SHA256
efc06bbc600aa37cf9f5bcbb72abacc7ab65e0bbcaaa8111b32bb2e1eb23813e

SHA512
80dd7b3f9047a1ee1780f957f54c9aeebf9d18f05935dd6dc59b7718d5e493e60c0f80634430a127b668f245d806e736564c423b93f670c5454ba5c91a10baf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.4MB

MD5
5a34a32f608e8a01031f3d5c41c45ae5

SHA1
0b9aae6052717e0a1443576311d979353418c492

SHA256
4421d21b72953dc7f8469f38a76176d3f809e394ed6b0c0e510d3f4ebba62507

SHA512
c814145f3558a31f98de7e3f76630b107b456a18f0dd6b15ced524110c5abf6b560ad3511af7d8b1967020000b61af114be72a875b0ad6652a4aabbfde39a3a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
569af7c3ffb8902daa3d06c0876a59fa

SHA1
ea5a79714c13b564fd26998bbb9af78dc13f54c7

SHA256
65ae1587c278d95fe34935c9aa46be9cb8090dea2e01154ec83af0d5191fd3ae

SHA512
e2645e83e6590afb2626a2c1389b0d5538d07ef67f12c5b037042043638fbad4cb95b0d89e22c874fd75629ac05d0d017516381a29a7ed565e640d92f1cb4166

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
51e71a777f8e7beb41ee9bd7dcc57c53

SHA1
142e220fa87a090a904329f6c3989747f56299fc

SHA256
9dfe36ba3676f3d309b304988fa11928a072c010611da60d5c79b586a8c21185

SHA512
dea8636d81c09bf9c9eeeaf79a11c71b6dc7c41b4e63bc8675255570e3b3c7e4ae35b360cf9b14521715c6d7c4be571f7c635725425ae8f2e54e772d1c554234

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
38fde25f64e6bbbcadd7c8156adcbd9d

SHA1
8213e2964f8f4296cc5c2556e81e4f6d8d714a1b

SHA256
8bbff6aae7bc37ab1377caf20b732c9988aa20284c8292d89ea3b87a87d881da

SHA512
fb39933ce6b8e6c93844f085c8bd223b1d5a68eb2ab80bd6891d7dc0cd4da742837b088e6fd5fd057ab40737b98619e866395b28d334c2f630f9b804833525d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.6MB

MD5
7e663fc304e86bee46e8bfdc475e3998

SHA1
f21af24860cb63f4b5b9a93b84c4c7702247cd27

SHA256
581851c6dfd15a7717626c0b629cbf149bbf556a84ec5344144c4a8f0817fee9

SHA512
76b019fb321eed88d42acba35de66e5a01c786a732df6176953cd05a2237ecf59be9693deefefc0929dc3f63b8e7fa029e155cfd86516cade57b44fa071383dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
446bff40d85587f6c6d3e747242ac4d9

SHA1
2b092e00d16af4b8fcdd78ae008c4ca120800715

SHA256
654c082ed4cc463231345031996685a77d2aa0971d136b071871162276947e44

SHA512
d2faa7dcdb438ba95644f25fb91da2fff2b0a73de4caa11e29da02218dda54f9cd1cabee88b5fd7152f2bd3bb2acd07a3fe3aba16221987c9608412a574874fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
b5de9c4a0bd2407df0bff6abbc3c2587

SHA1
a3a92f2537ecac1dadf05caa38953638cd951bdf

SHA256
9155557a163956b3d1dbdb7bd1b69b954b0817c77470fc04c644d5ee08283478

SHA512
248f50e4d890c5d2493bf14e565bc67a556062b43b32030e18bd1c60824471fc7345fc1b8c705c4edbeb1f9567a552a014fd6523f7da2937f4cd3e7a70fc9f91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.5MB

MD5
90f03a3a1302eebe09a28f891e91cc3f

SHA1
cadc1332040406426f02c2e30a5b4a40aaed7351

SHA256
8a6405950e6bd24db96d733df45e239f7cbd8b331a05af2af6743c20b53ca4d7

SHA512
20cc263198f32df75563b217444d244ef46eca473530ffcb46062ee699e8470e120695067cefc03d6ed164da13b42520b4381a9995381f8952bed25981ada05a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
09984786563e9c8781d4bc09c2149910

SHA1
82b535e638dc6b93d2a4075eef7b9ea70a4ba28e

SHA256
ea813d9803898455aed5dc1fd4089d330048e4b4ab4e20891a30154813b8df93

SHA512
7e0d03a4f74709a4c0e3a2b875e955b0c6b585d1857939bf3423d129319922194bec0716fe331f2791a915aa0d17f87a1022d575344dd0c7d9404c8157eba950

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
59a1f760d707e7f19b26b2abde330e0c

SHA1
bef850ec7e9678d54e6a85b6640499be4135c7a0

SHA256
943416044bf9786dd7f4d1daadf8e481d28d1a6f829a238aa1f999f1e568a032

SHA512
e8355d847a557f4cc0bdeb072007797825cb5dcbfe6c39549c5f9a9358112f82724d90569ab2926916a5d68882add7a16900389dc3b1945e62c2aa66429f12f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.5MB

MD5
92d7d2a81199b8cb79ba674a8517686e

SHA1
53ff7ff19158d308b8b31b48d67c3f558a6a84e2

SHA256
126059770d32277dc1135df8a99b48d1da2fa56388337025f7d6b5ceecbfa089

SHA512
3db122831e2c42a541c1406858fe5a15b8e76af5ef310a33348c108ca6b2863080c5f78299454c7b06df62a5a268652e41f5ee6e336391da3fba2a6dffa50f52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.6MB

MD5
0968cd06be2b2c969db01bb91faf7ba5

SHA1
1260203b84cd12725efcec1f338563d755b01772

SHA256
52e9cd7134666bbefff900aff8a0761fdac0394675c229c00f97a2d78cc39da5

SHA512
52ee425d8f3568663d6c29fe391b162b3a85e064d108184437a7782fc3ce84b007b34784c682e9332fa6681bac45df42ca0688b294f0d505a9ec89fa2a2bea3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.8MB

MD5
5b98c812b296df4008a1c6ff3d77d4cc

SHA1
1426bf663459e0003c84788e91574684eec80bec

SHA256
14129081026384ad91953af9747a407f7ca8be68f89083264af146c7117ccef6

SHA512
0e763e90576982e8dddc16270b97ef21c7d5d4bc86d55ac85de5c805cfe777383a92bc32f5d2b59137b9997d0e9225f56a7a78b273e852d8ae871dce4e4c176b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
1097e17b0e5f416b0227db870f3649eb

SHA1
c80d347dcd0ed2d71de73fae4906a398ff5cca11

SHA256
ed802ce9245398aef9163036407ba5cd31f7f83eaa489bf01757b12e7bff282f

SHA512
cc4a25491e3eb2a65de4205b31f6279ccaccbce7c1af71e85826a47b4d6703ead64d87a2e502be01b711c8b4337ea1781bcb1668120d7585592f993bfad04f37

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
352adf5cf660983f02c8124a2c1ebe04

SHA1
bd0dfb0519ac835e978ff591254512a83ab9627d

SHA256
55f1179e7a47304640d9f052dffc0bd37899562c259849df3575767131bf5296

SHA512
9a4653658b7ebf662a54a1ac1d8ef41d561d30ea601262bf67929c31d473e0bebeb13fe16eb29938ba6fa420d53467b9145f462657ecaaed265ec6f1d096ad89

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.5MB

MD5
58d296a8480383193099c49ca27e299a

SHA1
81fe02b43c8d34c81a420c6b869259cdc58d82a3

SHA256
741c20bc983abfc10ff4408634ea9d6296c6e49877944d222fb5d0320932cb52

SHA512
1f590fd94d8d7811c007b2f78ea919a01040516c34488b2c4854c0fd2ac3966eda2dbbcf561b844fe3ba08fa43d5d7f538c53ecc9a62639937bbee1ed1a1a25a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
74f893bdc019a64bc92a93bc243e2386

SHA1
8f7a9c730931bb47655a713611e099b63b4bf092

SHA256
d63e873d67ecaa59979abd50d981ebb6e237539bf8c26713f46d4299d6d3456f

SHA512
5b5f50cd4248849bab4437226bacdf20d2b8941747c1910f1b13099cc81c24a548f7a8c8b83a35021c59766ae3fb9884a02c412e3389cb334eb7d7f1e7b49e46

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b7aa9decfb76ca8b12981b2b0f4fd435

SHA1
b529c9892c2a778ebca3fe2361df9380b15aa214

SHA256
97634deb000011b07015c69df52572f9aa08bcf3a9b71be5308abfb891daf873

SHA512
e529b175acf70c6be39e2f4921d421e3c9101d393cd2260e89328aed9d6330a9a876dcfa151bfbbaaa205b9f463c5ce4d1801e2b19233b386b77c8b01469a45c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
3e9b013acfd649fb09ca34a5f7e2b0c1

SHA1
ea028920dc9ff474c7420575250dd09765a4b130

SHA256
c05e020cdb3cc7479dc86266950b5c66e697fa580b57f140bb0606f0e81906df

SHA512
9b70787e9a59e166c598178627648831ffb55277f96d38f62f76da5403696ef3396df7be6c2e934c040862f6453ffa715e6e15ab046aca40f60e250f1db199cf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
23dc3b7d8f6f5f998231f1ae7cf1c557

SHA1
32966eb978594348833d93dfd425f39fff8a49c7

SHA256
594c08c07c49bff8e21f677d73e4138be8f186d68ece1ee122e5ac5dbdf67cfa

SHA512
83fcf7f34fee8cd8e823804b1ccef145b7efd7301cc1b984ea5275c02630b8bc4217b393c5bc8b3a47e3bd3577f0bdfe22ad858f37eae8389ca8257e8d270618

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
53e45a08af0e6dcac06fdb322487658e

SHA1
86f7d6052067850ed008a6e21442ab1544e42da3

SHA256
b16805b8198831fff9b4d1fb9a5414f6fa0701983fff1dad24a55dbc9dd21dae

SHA512
cf00aed8836350ed35a82f92b4268f4ff36219a993ba34e72a68158b210f927fa75e15bf7bf2f385b0f236ebe675720f509adeb20083469c5c814038df6688b1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.7MB

MD5
46476cb9068291f519cf7c99d6eeca4c

SHA1
fc88dab8cb7fe4bee9bf1635d8662bba4cbfadf0

SHA256
fdb36adf9fd1ade8b5abafa3eeedabf23f10442c2b152f46c4cf8c772bcf913f

SHA512
18a5356649fc911cf173ee9005772228455e66b2e42ca36b0785b6941856eb8dba4f69f3b14d1117ca8175831826161eb91495c2561e8cc6499417591340836f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
962b110b59aadfb655e4ea557da32d23

SHA1
0621a2c1f3827232db950d133abbb58e13ee6657

SHA256
11301a541552cf1500b8b96e9481bf761e4119f72685816f6da50a6770c114ca

SHA512
839c9c7660e2ee4a1d481ebc43c15b87dc3bc04b0f3a6268c5e1d9e85eee22bd39ef68d74c9443fa37d7fd758cfc644991759f5c1520ac8759f0c5bdcad2e201

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
794dc0ca59a0f351ac5eb69db2fd738e

SHA1
22f6354683a2dbe613d161e1544b2f2564b7c22a

SHA256
d98d5c86dfc718fd7da472429e6d746147191b7be7674381cc52f69ce1faf18e

SHA512
f856b45ab2cf5244e4ed3a266cd505541d93a4835795f7ecae39c58d5ddf3e0831cbe887d0b39265cf0095036298f8fee0387417641c8478fe9097c7c756e825

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cf38a9ebbf4f583b6bc9462e02c8f892

SHA1
800437621d6745916071a89d0c765211d8f842aa

SHA256
2c03ac24ad42c54a3896aab49ed659a761b8cd854d44713288b04c18fd392001

SHA512
3aa9154307b8e597a46754fb36d4d754838c25b1c05a483eecc3089bf0ed28ea10dfbbde97964fbbb4cb5bc068594f3a29546a0a3542162914df3478d7b0c243

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
17aa6ad67af935069fb7967439c75890

SHA1
f95835c808351f10d975aa5d5ffddd1283063dbf

SHA256
e4ee403874c5f0a4f11c0a22ac42ed484a89c3b9f306dcd666d9a1f94acb79d5

SHA512
e3a26453a37f8ef7c846f08ddf4d935299d2d28d210326f9981f745dedb370b8ad3ddcdd07228c51151e53d6d93888f0a6a4bd51b75974bfa29cdd3d6acf42d7

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
9f27ca0f4816f89c27f3808e8de1aa4a

SHA1
275f18398d598fec097488161c57a0f17d61836f

SHA256
0b3fbc339e1514cf83c41c585e6686d613024e404ad69a0a2c60f05182d6b8a5

SHA512
3e660726bfdca18b20ecf65de236b262fb8335d4955ad027dfca7071037af526b400f4f7e7f85d86ceb33d1142f30cf1a10a5b187463f82e86a9ab803b7865be

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3bb19bc7868ded749fd91e593a104f49

SHA1
9926ee93f8e442e56099299dabaa70068a1edcf6

SHA256
d12346f37a129cb032fc1aca7a74dc02486eb200d3a092e46eea1ed7c2508e8e

SHA512
9cbadc975458b7019bce0ead3795fe9504c51159859702cdef5a391883e5b0f983fff117239118673c9480b4566917c79bb376c183d07e271675ff038cc8e388

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
944849b92c3911106cd5bc1b4324ba4a

SHA1
9a86a614c8a59907bf015518987131deebef3d7d

SHA256
d098184a5b1e20d1c98d02f8075559067503128747e565bc588353ec48495152

SHA512
79614575fd11436c7095204dd0858dd10bfdde9fe67029e1bf96269614c12b83ab9ce119f5a4c50f1ba0870102b0e8b4a51bb7c97319bdd25e3aa85a0f8e2678

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
3b1dce4c1202b3bcb792f2b497c605b2

SHA1
dd06bc8b1fd0b57ee6581e90ee6a359971ddb197

SHA256
7de2315f656f5ae441a74682fb79abaa0472dd89f3874ea2dca7feae7bbb24cc

SHA512
a37d202933636daa52a86dd02f15502529c58a455d67d1d86c0d8d89c73ddd83f7e0cc25acbee0f57b8f993b8a4c089a12120ac0c058fc7e74515034bfc56d7a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
04add344ae44c01c3830bd6ff4de238e

SHA1
70cd4354b4b5fd8be663d27c3b5ab9a7d87cf1ef

SHA256
f9df85e71a67ec608a9bb0718a3c916fc52d72ead21d501fe1bdb8e910526d9a

SHA512
729775ca4912f45311a7d4881431258759d7a86381b110619f900a0ed3c0ad6ce060b29638cd4fb88b083face491e79ec12423589c00b796f896ec679b296bfd

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0a9161be8699f68ae7fc4ceaf7c4ebf4

SHA1
e6deb2172967302efc8365f4a823d2d1d2ef7fa2

SHA256
0a2705cb54183b9168f695c011a4ab2586f4334d54c6f972d35cfa69dc33a284

SHA512
d7de9de510eb015f479e4fc9552f0c6e7a8ce8cfba6bdab8144c894cfd2e044eb72f16f94dea0d5b1e1fe479e3bfb67b34b458ee6d8f8a63558a91536f641339

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
5ff9f7021e225f7713dc7f0028e521c8

SHA1
2bc6afed4903032799d0ad456ecc4f27dd116d16

SHA256
adf848263307f1af523ffd9605475fcd7b1c8f7e94237206c2eb1bed07a22525

SHA512
15b4e0adae0a73e1c6135b234667603c18bfb288c516887ecc272c56ca9089222d54e2f32ceb6341665eda20a11549fd3efe43b9562e7eb3624a11375231e461

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
01a5c0f35b579cae954279e3ddca61cc

SHA1
ccc202a1b4d95e8cd1853359a2593d1e34e3ea77

SHA256
6c6da0791fa5891db8cf3cadfaf26496ce7cefe0bfeb11c0954cd0c552bc0820

SHA512
a9a1afdf29d5102ba2231b0474d8f6d3c1132cc20278ed2a3b3ec9358734c96c2d4b5708537b2b325deedf978ef0eb9f293886284e2ccc7f46a05222988f0549

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a405a0c03ed1479ab2b48481d1a1ccc1

SHA1
a2721cc55b008cc0d1bb0b9cdbabdc5b159c454f

SHA256
3ce66ad834963cd4709009d91a5881d6789ac14b8f9939e46de04adcc9bd9262

SHA512
fcedfe99d0bce9cd807b5e8e0469a0b3428006ed7d2d5dfee694bdd9875e6551623732c394fbc8514a293b56679994746229a385aff82d3ae6a85a9d9e8985b7

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
b0f4f89859fda0747d8c0d971690a1e5

SHA1
d68f85aa24f19b1f4f7c3919efb1270b6a4d0fd9

SHA256
3df4d127e972963a75cd6d258a577f42f2d5385a892c944fe3ed6a8337fd75c9

SHA512
d93b3850d97efb21b73a57c82d2654ef789c0157ccb0219846fc096ae052ed860e9ea675b253fcb6f5578857cce35322500e4a067414a7ae0837711eb73d3a0b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.4MB

MD5
82ac6162c75bcf4dc5a62d4d9be588fc

SHA1
fdeda53e47472d57deba1aced020d6869ff64e29

SHA256
db9f011b27e5d7ed3bf411effabdbcce14279f8d7a48c49fed0f1b2377c5be6e

SHA512
3fc80459eafd7475dd4c00051c5a927800406686fcde95c6339a46d67cb46660ab63e276e98ecc15c76331453e194c519295977e2438a7ccbbbb5609a92b36cd

Download Submit
memory/560-191-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/560-294-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/568-326-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/568-206-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/872-327-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/872-727-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/1260-282-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1260-176-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1884-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1884-712-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2480-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2480-21-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2480-197-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2480-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2692-722-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2692-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3028-306-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3028-194-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3244-115-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3244-121-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3244-221-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3244-133-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3272-331-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3272-645-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3272-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3524-8-0x00000000008A0000-0x0000000000907000-memory.dmp

Filesize
412KB

Download
memory/3524-494-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3524-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3524-1-0x00000000008A0000-0x0000000000907000-memory.dmp

Filesize
412KB

Download
memory/3524-182-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3584-104-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3584-110-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3584-139-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3584-137-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3584-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3588-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3588-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3636-257-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/3636-721-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/3860-313-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3860-726-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3872-295-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3872-723-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4384-617-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4384-228-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4484-254-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/4616-93-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4616-101-0x0000000140000000-0x000000014017A000-memory.dmp

Filesize
1.5MB

Download
memory/4616-99-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4884-728-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4884-332-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4944-164-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4944-156-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4952-154-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4952-147-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4952-151-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4952-148-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4952-141-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5100-125-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5100-251-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5100-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5100-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download