6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
Size

1.8MB
MD5

dec1482c7a2f45f2983b7fce28b99bfc
SHA1

7526f4919a4ea87d0db6281ae4b079f840d782be
SHA256

6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7
SHA512

8a319c5d2deffaa08085188d2329555783b962da50be59e1866acdcae2dca693a8aa01c6cbdfe86a8640197c5ff9b5802169b2e754b5a764b3fe87746c27dc7b
SSDEEP

49152:Cx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA5/snji6attJM:CvbjVkjjCAzJQEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4692	alg.exe
3064	DiagnosticsHub.StandardCollector.Service.exe
2372	fxssvc.exe
1492	elevation_service.exe
2348	elevation_service.exe
3500	maintenanceservice.exe
1584	msdtc.exe
1344	OSE.EXE
1400	PerceptionSimulationService.exe
2428	perfhost.exe
4544	locator.exe
2808	SensorDataService.exe
4016	snmptrap.exe
4596	spectrum.exe
4908	ssh-agent.exe
3088	TieringEngineService.exe
440	AgentService.exe
3608	vds.exe
4272	vssvc.exe
4416	wbengine.exe
4512	WmiApSrv.exe
316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\System32\alg.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\System32\vds.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a26b144290c504c9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\locator.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\goopdateres_hi.dll	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\goopdateres_et.dll	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\goopdateres_te.dll	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\GoogleUpdate.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\psuser.dll	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\GoogleUpdateComRegisterShell64.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTCBCD.tmp	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{81C44847-CFD4-4467-BC43-4620F6C2BDBD}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\GoogleCrashHandler.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\goopdateres_mr.dll	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\goopdateres_bg.dll	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMCBCC.tmp\goopdateres_id.dll	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f049756371dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d54426471dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000400f206571dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067e7726371dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c87516371dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f62f06471dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038c9576471dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fdc6a6471dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3064	DiagnosticsHub.StandardCollector.Service.exe
3064	DiagnosticsHub.StandardCollector.Service.exe
3064	DiagnosticsHub.StandardCollector.Service.exe
3064	DiagnosticsHub.StandardCollector.Service.exe
3064	DiagnosticsHub.StandardCollector.Service.exe
3064	DiagnosticsHub.StandardCollector.Service.exe
3064	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4612	6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
Token: SeAuditPrivilege	2372	fxssvc.exe
Token: SeRestorePrivilege	3088	TieringEngineService.exe
Token: SeManageVolumePrivilege	3088	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	440	AgentService.exe
Token: SeBackupPrivilege	4272	vssvc.exe
Token: SeRestorePrivilege	4272	vssvc.exe
Token: SeAuditPrivilege	4272	vssvc.exe
Token: SeBackupPrivilege	4416	wbengine.exe
Token: SeRestorePrivilege	4416	wbengine.exe
Token: SeSecurityPrivilege	4416	wbengine.exe
Token: 33	316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	316	SearchIndexer.exe
Token: SeDebugPrivilege	4692	alg.exe
Token: SeDebugPrivilege	4692	alg.exe
Token: SeDebugPrivilege	4692	alg.exe
Token: SeDebugPrivilege	3064	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 2636	316	SearchIndexer.exe	116
PID 316 wrote to memory of 2636	316	SearchIndexer.exe	116
PID 316 wrote to memory of 3944	316	SearchIndexer.exe	117
PID 316 wrote to memory of 3944	316	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe
"C:\Users\Admin\AppData\Local\Temp\6c994dc9ce79c32cb963bd2c8c994c51e533153e9baef0831517169f1b769fd7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1584

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2808

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:844

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2636
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6319c2c94bb2cdb1244c6a27d8aef0da

SHA1
cd244a2e1b6e5ba3df1a5442f9a3f80c671422b7

SHA256
2e96a99703cccfccf440bb1d19040fa871eb46a424ffac3039298d265c8497cf

SHA512
1402dab14a2332a4195dacc25a0758192fe94c4a97d4332abbf885e29c4e7e147162f2f46911e8a1b602f96787ca5a1636647aa5b6663a14c3adf1899d51af29

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
f4bbeccc7ccdfcb4ab26686020075fe6

SHA1
7e9f45506998b322a9ea794096baf663b65163de

SHA256
884958039f2c0f25f39d70e63af2f91e5896a20a2cd7969f997b8ac50f79cbd0

SHA512
913181d909518bc39048cbf8e20e066b8038f8719f8b33e4b4176a275e0967c7d7c9405b1bcce54b2e9a7bc5b2102b9a9d99f0691eb2a336a70d189621dc39d3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
308037065c6f86b6a8217f1b2c1afb09

SHA1
893b04eb6d916401ac2fab6d41ab314e8827e12f

SHA256
9773172203009fffc56f496ebda5a7bef1c2e21281a11d719fe6791131319ccf

SHA512
2c56bfe315064f871f0ab66df9e1943e8790dcb2dd55e1b2c44b2ec8e8c4cfec4e955d66a392069c9e6db57612d375336599cbc81f3378271fce3b3e15d5fe8e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fe7735942c777836d71b3e05bf785020

SHA1
064fdd831aeef5bb5db3ed258b1c5ba35cc9b041

SHA256
d7c782ed6a31b14c3b92c44db329fba38b68b1625444bdb6662b6513e709312d

SHA512
e479011b03eeb53a60683f7756130c71981b56cb11dd5e1accac5017528b375d9e22b4982134d1086e195e73cc537d052cadb42bd6646388a843a01bc862cd00

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3e50b1f93beed160814c672fab978bd7

SHA1
bb975aeaa482e9e22d210641465993517a8ff95d

SHA256
311943e2aa04ea79e6931a45bfd2e374e60af9501f54a2aca00c8415b20d31f1

SHA512
8a15ef6cf59a6754be63afae2c2fdfa9229b56ac6b44bd11a11bdff63401f335793375f21fb5bef24db01da4069c88965f2924ade172b849fd782a945aac4df1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
8db111381b1af54fcbfeb5939b5aa2b2

SHA1
6d2373e15d9b35dccb77cdd0c1101b452c5d0da1

SHA256
0437f6716bfdcad837b5ac4b753f4f8a605a9f154a611e4e9217f71bb70f3d65

SHA512
eb1ae47fe4dbbddecb94a6d928cdc4678a3887787a36f1a8ffdc0450d260c346df9dcbc202d14093990ac8c13f6f087b7fc643af17d6fbcbb107100ab86e3f12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
3f5bc4930e3b5400be239d299d9232c1

SHA1
0d4afc86a93231a92c6462e72feb57a1d82839c7

SHA256
1a61d84892e4c7e6649650a69d07ed131a14177d99687078301d2cce494a829f

SHA512
5714bab4c685f14ca04f1219ff3bdfad81b04b01a8d68b0df5e189d8b49d528132a3d18d54540a012f779e6f05255ba2275a97a3b8663ec6f6240b00cedb7f74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cca48ef21e632ed9022f70d8c47d6f13

SHA1
70390a614cfb4fd32dd561b003d5d05a397325aa

SHA256
ba7f6e0c5142716cc8bef981771b19470e3292a2375d2e9cf35f60025a8ca05c

SHA512
c678798582a4d2b7bc9114f066ffde804bd02fb0a112226b8246bb2a8721139a5de411e5bd18286dc4f96ab98f139858a7070d13140a1fbb632feac9433bebfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
3c25ebb986dcfc53c07bc92d397a7e16

SHA1
712295a63aaaa630ac2988572af3dac9bb5f3f5d

SHA256
deebf07c2e6c9bfd38de51a6b113bd3254de9c87203b1e9a79d92e0930fe8271

SHA512
814c4d24d4a09416b456aba6a13dacaf693eaa857967fc3d49f3b55e6fd43619bd6f1ed1ec9633a5074d88bef7792561a507b631f6a258b732c9d415aaa21bde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d2b25a3a58ffb9514f4e9bbf3408c780

SHA1
d0e246ffde2d50567cb91ca9fe82b31a0a72906d

SHA256
bd2442ae8849c48f0a96b7cc13bed57287ff076879a8f5c5e211e3273bec03a5

SHA512
1251e4e4e5fa1407a4a3d419d1e2d93060c8580a4225eedb8ab4e60666d42af0bc006fbc959981c873bdadaadf8f9be812e9f224dce53036120e6f7a2ef3edaa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f65fdbd059b088fb96e1b999cd81bde3

SHA1
31c067d4f3ddeb6be28dd45d18a8919c7af33203

SHA256
728fbc073ced016cede77adfe42ea0286a78bcdcb95669882128e7dc0f973f0a

SHA512
0d2c0600698f1a6fac799bfdf43b0480b496c01aaa4020ca860bcdecea3ee9aeb1833387626221ac0d009383c295bf63c5bd3995363ea64e900e9df726db7d1d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c276ea3f3521f86ca8a3c4a3acd0f22a

SHA1
df5ee49cc9bfdd515c99de3624aea7806177e016

SHA256
dad7cae609fa08ec33076a4d3f3bc7f3a1c76b4e71e0abebdc0114eb8d2c830b

SHA512
a4576e3c0ada012232a66c2e313bbd80faffed6010d0a057c5bcea1657a82bf39a449f5bbcd0e76ecd3851c4782d767f2b0aa98c0db123286bb2926a31db6940

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
42a412a4243fad44dd7b4e11645f4a24

SHA1
1f6e661cb6c1239192622f236867f2ed3612466f

SHA256
dd299a2a3f69eabbeeb27b19f0ab9e6de4f96b53e0f93d4c7ab3b2b086b84e5b

SHA512
0222ab1bd046be61ef1c8ab287f0a5157abc573edded8edf0e7f0013870a47cbf4d1571d2ef4c547a15accc1b328a15d77177c24c2e4a77cc52e83c8ea1fe2db

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
dd3097360f1600944e3235f3eb921ff3

SHA1
57aadb56a0882d2038d1ff5106a38e7c37915171

SHA256
d683c4c45a7572eff7c5f02d0bbca2fa09ad33f870fa8323f2077a86a8481dd8

SHA512
a97eaca6caf1ceddac2e6f33bde09933f1c50949a35ffc1bb7051a1d01e4e81bf69db1b0082479979c8c1b90472ab7bdd91f4142d8f0501548102719e1dad97c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
86d3886a19de5241083621c4858860fe

SHA1
717229a20d5e354914355054935f78f999ce9c38

SHA256
10eb4e6e113087874684ddbd919a33209c164c3c1d45ad5ba1d23e6dbae55a5c

SHA512
f52731e6b63aa6acce2defaedb32c4cc2555223565e32298d2324b859867f29d86418ddfa33699b1b632e5c2403b6023a7f1100b46710b4c313e4b62a1651d1b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
f7ffbe421f6e17008635ffd37f6cfaca

SHA1
defaadbd01329179bac0f9ffbb0a7fd8c83cbb76

SHA256
5e1def5fe9332cfbbe67c2fa4c4ad060d433a42e49558378bc609791d31c1007

SHA512
af4208babaedde49056d5dd482b2698794e0e2d3c0f9ae692d329fa2964d0a6cfff2dd435dbe421eb856b1796e99ea0a46d0f27bbfa63344f1c14fbcc291dccb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0e01684399ca086e04dc556f579b02c7

SHA1
1b4ec0fc0edec0035dcf6d2dec9b86c6baf9ead0

SHA256
86140a073e89ce813a627c333cee4e9c979391201952345cd192211aa82e805b

SHA512
d5a8652a082974ce525b33a49b056bbb9d60aeb70ea56fe5acb2b0fa3cfea5c77b9966dc03b626e67286fc59eb5cbfe83830ade8051f2561f818dd407a929e56

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
67305272cd1b67297a82881dbc490d6a

SHA1
08be470e1ec39057d4139af9f4722f741213bbb4

SHA256
8e409e54f8fe678a552d8d17c8c17d3e3f4f3446aecb7a129349ae6c1329fbcd

SHA512
2ecd627f37af54552a35a027adb92ff7704c24c7b299127d60063059ebfadea112641e11bcb2953ce63b42fc8da1e907c077c035d8904e79230756fb30a27a29

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
934bf014328441c42dc7271ace09ecc5

SHA1
6d5e2dbc40aac9a95dae48f1bca56dad415e770d

SHA256
20c04cebb9cd00ef7037136e2c96de09f715a4c7f048a166383d3b0a128f539a

SHA512
b49aaece08c9ea6e975e61ba1d65998650a6833b2b5b2b3470bd26f580fd88edc87c7061d7a4db3e8518e740fe652d82bbf33e0b9413ff0dda8bcf32fadd552e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
874f03ec66347a9aef1eeb971a0cfd5b

SHA1
8285f140dea107f3d6e9da12caf2336d16122962

SHA256
aa246a34babc75f7f0884873b04d92cd9f20dab6cceee8ee7ed4356bed862b26

SHA512
dfefade7b4c478675341323bcef279bd10d0ecaad25734684538d8a62d5f0c22724d70e6734ea244b0f3997b90811b113e3177b35b40f8cf550ce9db769ce7b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
6ad6fb8b383b3f009d8c490183e3437f

SHA1
914efe1c52218d0198a8e880df48154d5f0ae38d

SHA256
1612b8b0f3cfa44817b5e468c98f7cf22ff4f71f468a6cff16eca88423c01338

SHA512
c3af03a7dcc86f9435eae70a3792f5fd0d94dc68185a8e4f512d65f0d28c86b97a7461e6eac3827dc5f7e9ca0a9c9c182f16ef40ec396349cffd5fe0eda6f17b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
eb348e690b08a14e78a38c01f5d857d4

SHA1
df7aeae6e62e966cf7d19953237b711a9dcb910b

SHA256
4700fd62fb5a795b7a4100f3108e21a38da76e4e69f12bb1220ca26fa818fd56

SHA512
42709f587af8af9e4538c9cb5f7afb3539138ba4674da585c1b899434810a91ad09e19005a77a396a42ddd53d86331d2a16bfc5905630285f755f1e6fc45029d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
7ef55e1a14cd643c6998877cf1574501

SHA1
b39ab454203aef5f5d995c1c862120caf7270716

SHA256
68771640834e23e63a56b27eebd6146b9b3d3665a605f1997c6d6fd4fcc50635

SHA512
bb99be7f47f8c9f6bf5d944a0809df52aa259b071844a09f04f2346e429d8291bce7c9c384ad57ac7ed3ccd389a5dd95b2cce3b9ef3e90af12e1f5198430fac6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
8c86e5c4dd0c646284898283fe92ceea

SHA1
63d5c337a492959d8cd121a3defaf65d02922071

SHA256
d81e55a88de3d5e0608e823349b71e14ea31600aa199b09425e6e9fa8632211c

SHA512
815374d97535ab9731b573523b64e2ab731e44d2d5f23226694b11c36be37a70b67b3a0d243fe55366f7d71944b72d38ac137c3962bc0c1d5b0bc9a39ac54209

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
3bb0bf466c64ecb4360e10224bd1fe7b

SHA1
a3af263b0c537821bca05105de9e9ef0e98d4133

SHA256
77b6082503ced1c9e2864b939529734e699ce48aa57dc61741dfd4741140e131

SHA512
851b660d6fc4898486907feb1198a6dad304ab0e75fd3b5114000d849816fa5a6a87e8f74593dd40e85134e3997feac05184df6f9c4a4893292dd54d80f7c2a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
e9fd8c5518954e1d577e1cef21ed60c3

SHA1
9fc5811c3815413b2c2ee430704932fbb885047d

SHA256
b3aab7fcc1c552c97c0b7546a9b1d7949c6fedd3b9bac1ac44f438cf95009d73

SHA512
398852c3eeaeec6abf1573f565661060e9460e0c611f917b80953265dcde200222ade5c900ccff4995a62e50841f097a82266a2e86216fe75659307a2f80a744

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
4969e505c6d610887981dde9c0c282ca

SHA1
7044af138b269897bcd1d0059b568822387c5028

SHA256
d5f46e05416abc2584bf65e88f6bde3de3e1e04a6bade1cb35853aa0882b0507

SHA512
3747342f872996a2432d51e232b8d290e4048b8005c064484d57c95f09faa34c95aa21d2041fc16153fddc9ba1867e004539f52b904535081ccf7908ed1de127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
baa6f3c5ae5ed4b1c3cf0bafcc763cc3

SHA1
f2f072407a3de84cb148ea4a02ca5e9ac6cb396a

SHA256
96e17fd015b2bfff9d9b41c4ec703fd11d005828283fee798f819237df71be35

SHA512
7dc92c191e92949101a24ac392b9bd1231882c23060e63be8e37d47f537e667a69fab34f4122bed2d8569008a86d36902aa9db4e680e25228b3fefc80cbf8131

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
fc20638c3833a120dca814e38a8a6924

SHA1
24d57904987df6f4811ac1304de26e098de82568

SHA256
3b07601997e82a505a460b606142f86f9ab95980007ed0363e77f45c18b9a51b

SHA512
d49d02146c10bf41272887edbc9f39cd1ba3af78634dbebabc8abc625398be677d9bccc4f60690307af9403a39c00c08c64ffbbbd935991e915808373ae70214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
259300ac27c0629fd893de162e40563a

SHA1
57e8a0435553ea78850227281a08e958e3856734

SHA256
20a7bcfa7fe6127071e224d4bb96d8d30671fadfc165fb7ed2e84fa5a209c500

SHA512
eea1afcd6400e2410f252b12a2b8c10d3f3ce52120617e5d5c11405b27e37db256e6901c1b3812a885916ab95e1ffaff9c41f1bbdf48d0d875d89a3ed953e5fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
c49ba97d2becf737148b3f0dd340d5ab

SHA1
8664787e6792ab3ab6bb5c8e1f7ed36b7ebf5bb3

SHA256
2f8c86758fe57e37d2acc893d68c74312f3fc17048ce054d0ed1887f5338b61b

SHA512
b60b8d14122ab2cf9c914593e2a9c6c9f7d7a4948bfb043e67e2f3e1ab44abfa073438e4e53ab6d3f7322a3f3e7ad40daec2c636dcd75b1f45a2ce18fe247d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
cc1335a8877063f290be80f273c6d261

SHA1
80936b2a237ccf3fde7cd00f7cb2ef8ec64f62a0

SHA256
3330e2898b93bfff8809c9eb2053c3b2801726ade11fb8badafcc77234201df5

SHA512
03c1e4918ecd5a1fcaad33b13f5ce7904ab28cf0ccd89a1e1ae81629302a6778b45b10889b6fc10d286cf4199b27ceeb7a95d59343dce8014ebb48393e7dae63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
640d007e730c96827dc1d0a799939000

SHA1
e5d68915cea2ded81ee1593296db2753f673d768

SHA256
43ca81a9f8219d07c6b642bcb0df3b62d68efb91c344cdbd4f0b0601e90f0bf0

SHA512
a6f7719b5fdd3f9b82518e2f456d623be9ca5d9ecc01d006999dbc56ed710b656cc9b23d380790c44b58a619216ae184f3fe7c41f9506764d2b22edb430cf4b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
2d3d0863e94294fb7549bcb2d29051eb

SHA1
8c36681d90c37d91be583dc16521eb2076585b83

SHA256
59c7020673fc1bed548365929fd00b5f84a1eff18508b0112090b6d7d5886ceb

SHA512
60269eb8d88756d033c0219b28c9a310ce8c8e279564d2f4ad3489ee3bbd7309b7febad835ebc7b3f80e649c47cf593b1a55ea62089f97c77d2d36253dd08535

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
1d3e7c60a59f0c11855fcbcb54050f02

SHA1
597e985ef981969c17b0840d15987b8f94154e5f

SHA256
33a55cb21ec9c7e921efd2225f10d073f9e21db19074e51d3b331469d037bbe3

SHA512
dc48e97dfd8d251de0ad0763a0a0b6891528adde8af3d24e68396dcca81d5f9150db3b63dc7818fdf916e8df1b7bcc709cae099eed7a62dc281f8e66bf83d1cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
81e566ffea8c6f35ae96124058f70794

SHA1
2acf581825a4c8169fcaeb3225ffe184e8392858

SHA256
1f889851ef3330954c2ea72a27898b685f8412ed2f972b20fdbb2b7977ce222f

SHA512
cf65d0272b10e05b2e33ca0cca7c1e99e66dcc11840d4728a46425849697d1d2c20d060c04637553881bf4fd77e72180c8d72afcaeb3a2e0f8127a6a35f4b859

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
bca7e3be41e389e95c01161079e9d07a

SHA1
07ab35fd4a746a99d0389332042bbe7a9e7c2373

SHA256
37ae7f04b6d94a259b03d680f7077db3e302fdaacfef46592690d87ee646429a

SHA512
7bf5c4fdcba1a8d1c12967da01c6823b6afba598ca5ee261a87df2172937d9d8d2628e7ecc85e978fced6182e815a8d207b2e2895680a9596ded7b303edfd3e1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d854783c946ddb6710682fff3648dc4f

SHA1
305a48292411fb620016961b7b5f1c9232c96b62

SHA256
58dd6530a0ad8f1ebd1635b7eb5ad20d0963b324bf1ab31ac4cc2fbc88e1f534

SHA512
851184b4762c14bdc4572e9e2ff63acb28697375009a366964cc7af73f2ce72b6c0ed3065ea3eae0d741aba2606bd99fb38395c67489ff7e206b7830efb67191

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
333759b482e5adf4ca92ab863e697447

SHA1
f12581db58f4e0152e02559537944858e586f53d

SHA256
58260d5a303e64da37d0ee67ed575303ee75e31790d969365799f169c3c695a0

SHA512
800e84a4bbf4276ced6167208d5e11febf756e1100e50c9324c35d013f37c585d8898dc6879bdeb48178de6e7894ef5392335e55a12aa1bc007c84e803d09a70

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
87fec4e2745376f35eba61b2a059562f

SHA1
488e58e42d12603d1728e5893323d9084be72121

SHA256
d2d63e98817ddf8355de6c3340478e46df6accfd864c747c03fbc2f63d6610c6

SHA512
4f67c9067ddced99a6c37bbb04c4f380a07c9552d839d9cdd62d82f5050897a5d551e9afbd7cf82b4ce0c2271faf753680269fba4496f397274ba6c3e17767de

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3aae092e54468641b3c09b72786a533c

SHA1
5184b1a88afb33dac7a63d59058414faf27cfc65

SHA256
062966d911f10f0e640ae812b19d36cc2ec6f3ed1f6f0d4f510bc47232952392

SHA512
15c74d35f503373068a3268bcb24c04368a51bd179b9205e68416399e98aef7abfe3108bca3366b38ecb549c3e740375e70392e66f5f2943f454f51f01b74e03

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1694100839ffcfc03aa73bfa0317f950

SHA1
28c25239354d28d60336818ebbd50f2b06eda9c6

SHA256
7c6b0c0845cf4d0fff28d366e30fd0e110a83b6d04d5ca7f5cb43fcd97e5f117

SHA512
7abd9649652e2257e6853f9fa2569d21d906f25b9853d2f6a527ae65bc9300c77eeead421592266ec2b8a23b7e1a92d1666e13f417ad7d5378a6bddcf1b723b2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f8488bfd0146cdc6cc198f6da580e6be

SHA1
fbabb81acb6f574aa978101bda5e4078275538b0

SHA256
2805c30e2a73f4339e8834706ec924baf44642cbe292286bf550774da8ec4800

SHA512
e401e26b68e4901ec126012c1e71bbb7527310af90e59f9fe0f8739718c830eada4c9aba00b622ee336a8684e59da199a6b79cb55de2bfb277d90eb211ba8c30

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
079b8b8d8032bde28aff0a9053985076

SHA1
23c8e94517bf50ab357dd96f5c97120d54667144

SHA256
dae7b2b3467f8ad8fc5ce2f0fc559f67dcedc11c333b114f18de5e0e486ac952

SHA512
24bd531edea86d5a36a3a42cd428e3c70244ac593c269082b76bb7a9eb878de3de315817333d4a2d6033d752228331909c1e4a0c0b8142e4238ef703a3b74468

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1e104bf552777bc0a081dfca7db99e54

SHA1
80f6cb70f0de89a19be88dce28e8b45fe94881c7

SHA256
545911f3dca8026c0545cd587a9509556a5bbd36c0e925210915113af50f11ed

SHA512
59a15cd4a7e142fb35b6588257003eae467cb1aec5e67343b8d08f142fd3c14dd5903778e525a63e5b14fba07e73f1a1818612b2bb4751320dcd4ff6455f7a1b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
7aa98391ec1804e76815b780cd44a148

SHA1
b07be317feb27a96eabae2752da8d88082212676

SHA256
f51706a93f0a8d886e39ef69528aebde18a2f31e8b4e586dcddccb65184a1121

SHA512
47b7f1e83417a45d47605825a36aacd8ebe90661972dbc195be70ad225045bb3c569f791e558d09ca61ffbd2aa340adad007dfac37931466f1e3627fde57fd72

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c0f46b64f71395d849dfafe7f4915793

SHA1
825d936ff2a1d74db9099ef0d1a0c853e8d08ba6

SHA256
abf3aa3ecd4fae37346406cda44a9fef2a63c5376f94e7f8de3cbb2e11abb7e1

SHA512
4c2731138919c6f431950cf7bb3cc22ae41f4db094a86a86ac3954d2aa4be3eae059d233648fa8de4a75163a7b7e7989e4ea1952476b7e294ad68b20ea6acd0f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d4fb7029ec00a48549aff620c1d9a251

SHA1
965c854f716ab0ad826244af03fe6e8cb9c2af39

SHA256
6a4567986fee8271e9bfde456ce6128bb0ba879e100809bd50a5ed1c053751aa

SHA512
7bd4760de6947c5e1523808d1353e4ba830f97cd81f067e1a96432479049c33b18b6065106b275924edebd00e01f10812a14918bad7e2db2f1d9ec5e090bb6bd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cb4a133f04c2a17e5e176d2f64e2b11c

SHA1
79b1077be9f3fdd736f246a67ef2a6bd7b34e77d

SHA256
0147d3c778ae567922dbdd542afffe319b3b20b5d62c5385dc654525aacdd38d

SHA512
452feae368c604eea21043eed8dff3ddd09bc53634977dbad6b575229dc6fe22a890d1c97c4563a7a4bc79c608c6890635f7657270ed1a6a4fe41c70bea417d8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
48dca04d9dda329485fccc6dba3d2697

SHA1
aa922191f9fb4ddf7b356e18eeab990f9e11ace5

SHA256
d0acc42802b7af9b27686925077f7cb670718eca86f6d65d3075a3a9c4ae1f5c

SHA512
2d1605ff40b7d47e244b8917b7f6c4b63ea2a95bcab10846fda89e8154d5abe3e3375e0e90cd8436f65550ab1f8bec995b13e24448ba81c8e2f5fcf768d0a1b7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
24058b39d12eb3aa97689f96fe8d6876

SHA1
d68f00ee27b41929da9c699b72f09922a687bcac

SHA256
ffd1c06b32bfd76defc582d2ad9bb66774978ef0fd91c89c09b8b8d8bc1386bb

SHA512
e7c2925963931d6081f8427a0e4d17b3dc5ca53de4fb964520bf14d0c0779a116579e78ca1c8ea17c5ccfd910577a33da5716141021095298f46ef4e31e2fbc3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
883e5420dae85b2c28bf772f4ed7159d

SHA1
8b6c18669fa1dd366a3d29588fd6b0b5a59b9e9b

SHA256
a69207fcf5fee29252415479856e73dca559550534f922792b96d297c567f1ac

SHA512
cf4e954c591890c26441a5f6ff98df9a787e748cd9318b875c06c122b2b50d1721b714cd53fd8adf6036865563a2deb5729063ad557fc8c34b9feb2f256e2b3b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c159ff76217ac6385982968935be04df

SHA1
ef88d506c1e7e3ba3a0515e6656b4cff411d2e82

SHA256
ff0b5405a3da0d1624fa929bd082578e8ae5973e2e4f392041911076776fc166

SHA512
0a508e0976562efe3cb35ffd9dcfcfd2dc2fc9e27c5e635697aa59f5882499938636563e75b2871b3d5cfeb1c29064fe784fa178b9cd841102492523dee69adf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f173c1bab35176330e7b9b3fd7aedccb

SHA1
e6699476ace23c3f853e9aa5509d0542052f7a01

SHA256
e8588094ddfca9f0b0d7f4f8ea0bf1e1168d158ee4f907afe8598999c846557b

SHA512
dcadda47eb2f629d80963faacde264ce3d2bf0bf70aa3bc29e79afd0d90ddf4f0be3ec8fc9182084529b8e932882424efc8112f6f3ddda85b28682e73a645a34

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
254bcf5067ecd03ad3ef5338cae77837

SHA1
11269e2cc8d0fa0c14021926cc3144506de4735f

SHA256
90fe709c4891639f639420fa7993d3dec91a534af95014548d827762a7790814

SHA512
c4a951cd76c4190303d75719e16f3fbb96e6e091cadc379556a9a6f0a97546790d6dd309228e297f1fcbc2adabe0f994b0aad5493346a07fe010f5bda0d35366

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
62890d2d3c1acaa534bdbd7b3c9c07f6

SHA1
7abdad367af74a3699dd4ff504a9c17735db981d

SHA256
6dabe1b98a6809cd2b47d075140630aa9a6ff8053d511e5ed7dc6b221ee6368a

SHA512
6c4c719f74506cf407f45d8950417e90077fe1177882b2b10b2c4807bd807c348b3aa6f4ee3306c58540b907f3a3be498f7aa0f867473b7cc61176ffa195f7d0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4802fe6b6ed5170fc84842abcc9e27ea

SHA1
5bad9253d68c136d3a223b1d55d4c587b71db2a4

SHA256
9b1b13a252cbf305e39f4823d24e16d72ab9e00fd81f2414d37e8b522fabd93b

SHA512
9fa8e2f9ecf19f73337dcda404c5808d6bf2f5dc3874904a883c87b7784f0c23e8907ecc525b75464657ddb8c31b6b0d9600ec428dc033d8778722e7c5f3dfbf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d9d6f5a1d0d036c386ca7d6c9fa18733

SHA1
e9f6b0a13718216fa1f5c4001f777ebd45d72352

SHA256
2405bc9eaec8a861dcf91bb379c878a03b107d55c1f3e21a6898c7453f12276c

SHA512
881ad6a7d2c3bd78d88d0017086f646014ea74054bae5c09bd56f435dbc7ed2c848ad54c92f574681ee33dc55723fac96bc2b194608c80d1970c3f62e453d5aa

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
5be6db79770af3e2cb23ed004590de54

SHA1
fdbf9bacb82024f23a76a3fc2c359e2f4a2ec19a

SHA256
32b361c5c320e7cfdd807b5f4a7505e3be1d8601dcec2be1ed4c99bf08312c63

SHA512
2191246f29eda224cb6fbdf4f6b870b6be786df64fc6bc25edad32cecf050dc41c46a1fd5ddcde7b671ce14827dc2a350a51702d0d4f4936d76d1b09f7eaf2b5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
cd449a4d136b1ca4d9c205ecd9fa71d3

SHA1
3886b90db444e41a94e9c2858d8c8c3283cfff25

SHA256
200c5190760010d03bf4b2b8db57550caddb46b91f31755dd3fa587be2684039

SHA512
57bc1564e8682865792b64316d3e4475f54ba1c34ebd36f918729608031f995c82b642c5f36914633ca36f4509f6b2c3fa1e59ebfd0e41ac11815b286e9a3e52

Download Submit
memory/316-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/316-745-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/440-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/440-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1344-187-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1400-188-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1492-124-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1492-122-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1492-252-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1492-116-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1584-156-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1584-165-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2348-264-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2348-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2372-137-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2372-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2372-43-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2372-37-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2372-149-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2428-202-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2428-312-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2808-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2808-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2808-684-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3064-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3064-33-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3064-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3064-236-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3088-273-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/3088-738-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/3500-151-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3500-154-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3500-146-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3500-152-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3500-140-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3608-739-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3608-298-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4016-615-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4016-238-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4272-309-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4272-740-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4416-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4416-743-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4512-744-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4512-332-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4544-212-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4596-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4596-692-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4612-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4612-514-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4612-6-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4612-2-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4612-201-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4692-19-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4692-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4692-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4692-215-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4908-737-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4908-253-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download