58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
Size

1.8MB
MD5

bb50cfe1d94904754b0dc854fea67960
SHA1

73e842c2fffaa1a41f250144e388e134610d799b
SHA256

58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9
SHA512

08db8333b870b3d063f609e68e237f413956358c79dc31209536e1a9b69a768837aa7cd8bac9bdf0f77cc2d02ccc010678c1e4b0d99228210126ce38445992ff
SSDEEP

49152:dx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAE/snji6attJM:dvbjVkjjCAzJtEnW6at

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2060	alg.exe
1768	DiagnosticsHub.StandardCollector.Service.exe
5092	fxssvc.exe
4020	elevation_service.exe
2504	elevation_service.exe
4592	maintenanceservice.exe
1988	msdtc.exe
2384	OSE.EXE
2560	PerceptionSimulationService.exe
4996	perfhost.exe
4612	locator.exe
4060	SensorDataService.exe
4700	snmptrap.exe
344	spectrum.exe
4052	ssh-agent.exe
800	TieringEngineService.exe
1032	AgentService.exe
4308	vds.exe
1512	vssvc.exe
4384	wbengine.exe
4548	WmiApSrv.exe
3008	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\System32\vds.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\System32\msdtc.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\locator.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\12ef3e5d6c5b9070.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\GoogleUpdateOnDemand.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\goopdateres_id.dll	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\GoogleUpdateSetup.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\goopdateres_hu.dll	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\goopdateres_el.dll	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\goopdateres_fr.dll	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\goopdateres_ml.dll	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B65.tmp\goopdateres_fa.dll	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a477e6936cddda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002320ec926cddda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000730674936cddda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c17f2c936cddda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d1a68936cddda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000347f3926cddda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1768	DiagnosticsHub.StandardCollector.Service.exe
1768	DiagnosticsHub.StandardCollector.Service.exe
1768	DiagnosticsHub.StandardCollector.Service.exe
1768	DiagnosticsHub.StandardCollector.Service.exe
1768	DiagnosticsHub.StandardCollector.Service.exe
1768	DiagnosticsHub.StandardCollector.Service.exe
1768	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3112	58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
Token: SeAuditPrivilege	5092	fxssvc.exe
Token: SeRestorePrivilege	800	TieringEngineService.exe
Token: SeManageVolumePrivilege	800	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1032	AgentService.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe
Token: SeBackupPrivilege	4384	wbengine.exe
Token: SeRestorePrivilege	4384	wbengine.exe
Token: SeSecurityPrivilege	4384	wbengine.exe
Token: 33	3008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeDebugPrivilege	2060	alg.exe
Token: SeDebugPrivilege	2060	alg.exe
Token: SeDebugPrivilege	2060	alg.exe
Token: SeDebugPrivilege	1768	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4600	3008	SearchIndexer.exe	117
PID 3008 wrote to memory of 4600	3008	SearchIndexer.exe	117
PID 3008 wrote to memory of 3040	3008	SearchIndexer.exe	118
PID 3008 wrote to memory of 3040	3008	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe
"C:\Users\Admin\AppData\Local\Temp\58de3a905ca55ce08cba2cf00d8edd488371984275506020a9c130fe19866bd9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2168

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1988

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:344

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2236

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d04999493b26a57f61952428e806f213

SHA1
9061c7d5624b492eb0ff461afb4cafb3c67267d6

SHA256
308b8bdfc93bfb2a8fb089fff27bbda217658f150fc90d76e6eca09d0ddd9d21

SHA512
7801b62fc9eb078e7ce7f56a088426f1fb25a4200f35bf568b072ffc293c14f6fde781c5314ad9bcad521b1fe01a1d22ea29737dbd585a2b575959403a27186f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
cac01606d43e36d5f417b82683656ca8

SHA1
d6359dae048c6717053a515bddc16acb3ef517e2

SHA256
04c3765e87a6784e372d5a3b6ab6d7eb8a97c8638cc7a8ab92ac03dff0830ddb

SHA512
034217c3f6c0b648b2ac47e1cf10b73017388a1fd7d9622f829138ff3d0edf4ed676abbb2b757a59a248b40101758c78c0b3be4469b3d5d5213c8e225c14521e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
23fa161ad531d16c11e695d79df39694

SHA1
4617ad5ec257b01c955a4fdad73a8b00541a7c38

SHA256
fdd07abeb914f371a78f724bda9e598ae733a948ddcd8cfbbe021e1ceec09c48

SHA512
3b0bfada441f1b729449f84fede89396a3c8faf60036262bd18881c93e67c31e76cced5293fcce171cbe91960318a908584f4ba7f759d511bd194f9ad0c45b86

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
855f7f8c310f08628dc10636eb30f652

SHA1
6756bacaca8a6c95e07c3d6d199dbe0dcc05e2e9

SHA256
78f6f9bf0228382d6c821ddff2bd6aa527fcdec4f1e9666427c79886b3f061a1

SHA512
c7f2d3f29eead205e5da70f8bb656dfb52f484bc16cd4fd4aa9519bccd8f1a40617c4c30de1867bac280ea08ea762e142b2be34b016a63157384c02949a77cf3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
572b9f89393834a29dbe9c966ae6df5e

SHA1
73759bbdfbb25a15389458101fee4e3fa8245d7a

SHA256
6ddc676e3538f29f1f99f0134a07158946cb72fb57ccf13e588220205ba31e02

SHA512
c841ae081e2cb9700b753e2741a26b7d21539d13a545c8ee85341b46b8cc9ab218f24df652c9d13fdcb6157d69a9c5aee19ef79477342419d46f3abe295150ed

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
e446983f9a6637a8c40479a8677c7c9a

SHA1
85d087b8cc74a1b0346bf557108b09771d461119

SHA256
96899c1c90cf279535ba9e86266fe4437e98381e02ce925fe2caab5346cb6c0a

SHA512
d44c9fc698244e0b663e1e52c30257b55f2144a8621e63f005786e29c86dd73b043d27ab500bad2e928584c9f020c924779a8d0d0d209c224fcc9c98b087ac65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a45b56ec9ca5086f4f5d09ea0a917cb1

SHA1
204b290f976b4b67a87da150684a967fe7092546

SHA256
cb3216a18e82447130499b1a94b7e6dc2678e6e3f88ee8d3aea6e05de75819b7

SHA512
f80bb1e1f9573e215d7eb4d787d567127683e92ff2f8ebd52c96d8292c6ffac5dc65ba13599dd4cb180993c2bd4b9aa6ebe399f712ea130c2b565a0eee0aec2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3aca1a362d1827e9a47e797ddbbce335

SHA1
d29b065bce819cd59a4993fd84b99ae308cf6abd

SHA256
cda2e437a2ddd6afd0e2daec1bd48dc6509885bb8ff8fbcd2865e6912c68d5e6

SHA512
e4449da1316d0534062494a6ae6e67dfaf33c06d8aabd7f385f8055289fd2063270ad0eb18565cb997aa367f857c5441718e82e231725e5428f9eb3a2f01e254

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
9a46587ae8b046d8066a2b265971bb8a

SHA1
593139acb9deac63b9a2fb6f2c37b46bbe99a32b

SHA256
9cc90f733c3c4ff9945f539dfecc4a75f61ccb12016f10cf86074ad4e789cdcc

SHA512
010ed4fe24a1559676aeb908b796de43e7f67415a9b3ef2fa547d24eb0497e163459683aa0599a5fa66ab817f828ea99046a85b934431770f615461076241538

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
16f95aca52998008c43760c7ca49e4fd

SHA1
ecc6bd1d03a38230342c38dd6b19f1c83934fbc6

SHA256
cade4c58593e049c0d7cbafc8af3ef13930cbc8d251ff40ea9f86f8b4b3a46c5

SHA512
7920ba18efa1200e6535215e5ad3a61bc8b9b6d3bb051d452bc42af0737c1e212180a498c1a7aefcad9dc612805209ba7bcbd8a533a6f621f055fabd6e7ad7d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
41737e5f5e6f1726b74f5e2c69607ce3

SHA1
ad5b0573243edc78f2eccfe9083f099d09a35224

SHA256
8d1a77e57156a052f6720e65e65a3009ff140d637f1345621bb40fee083b9ee9

SHA512
23bb7982f66c4a3073a6c5968f2f9ed89119589efbaeef8599075fee46e546306cda127558ca1a94ef6d4f6896fb4d1e680290080e4530b68085e61fd07cd3ea

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9e6fe735af291f5244b3559503f4871b

SHA1
581247cec6bd90a170b3d22d2fce28a8c0360e7e

SHA256
228b36bd4a404fc76e77b0c3859ecb7f4614f9aa8ca18dda6846b40de7f7640b

SHA512
0c0ed93b61b326ccee92457d4d3303de1152077cfb4a51930f952a053efe276a6fde7bc46a8854124a28f774adfaa03917c95d264823f20198c97cb45eb17b65

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
2d2e5146cbb45682886e1c8e6f1393d9

SHA1
f14ac6a1a2e7391e313f2ff38e408933ed24da1d

SHA256
1bf326c339e71314c04354b18b658df221b80455e96cde7567f246ad8007437d

SHA512
0c3df09828d3c496d962da8458b932c840a7530f7eebe851790d3bcc9f223161b831a3552ad929c10fcee90c6692516eff2bab0d0dce0f97f76b3d65285247e9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
c48c7ca8d898e020e531bf9899cf61da

SHA1
12521cbaa365b658411e4f6a51a07958d8cc5fc4

SHA256
6faa1414aef90cd512a4fe22713d5a546c571959485325e412a74be921c5dc47

SHA512
f95dacb1f6ce6a457b49b4961e6ff430a495287bda1b938506b364c6205f2c10d5af2ec3c55122b4b41d5c1636a1da4ed47d71280ea4613aa9de9aa01ab260cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4d5848630060afaac6816687c1697b05

SHA1
4bb1508f54780e0e40a6393ef9109ad08835de97

SHA256
c78e31ba0ef3fc073922622dec5e1a79080ef1e1960aadae68ad75654ad0180e

SHA512
25f6a3e885eb0b2b5397e37f27d2af2c087ffb69f826ccceabc27317a7fcc2f613b50a5e979ed270dd689a50ae9cf36c1b0681e872f9cfe555abf7bf6bfad516

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
d29d54d35b95c84bf6a70faefe0e652a

SHA1
ed4df08f0056368d8889b58581df1d34328d7df2

SHA256
85a244c539b9e61e4782bf0348b9260c1dcbbbe67ccdefa9519cdd0963b87bc7

SHA512
65034c6902d07e7ddc52ae8a45305f3a0d4a1c3e7088ba87f7881a1852f8766503fdf7822183ae31a856ada8e5c9de65ca246e6e013ac5d4d31fc301cf413c2f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
32c77f9ed03aed0bcde47468e78c4cb1

SHA1
5f60493f70b2ff79100f12ef5b097cda644865d1

SHA256
da67526143be1166a7d844adea81db7d655d9b6966bfe818eaf8265ac0e241f2

SHA512
8496b319a3e5552098273b9de95a3928f19d820f8c1447dadfc60e22b3cdf8d4b5e87052050e406746db5ddfa17c1bf0c005cf8ee35a130e98d3e13dfca3f389

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
fbffe827f8690d19aaf5f377d24290aa

SHA1
dd5fd13a94e33dfb7e9c2c23e4156b72c502dbc5

SHA256
e521dcc954ffd92132554eaac2f1d06839ec6425962008c8c3776473783699f9

SHA512
fa8223394cbc705d1bdc6fb0469187c91201d8e668d0233eecc03755064f05b38b0bfc783ba2199fc6ed84996700f4637aed63f3e1302189b63ffce6e64c10ed

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
d4d7aa397d67c301169e9cc64b5304ed

SHA1
481d211cb8ace4a05ddf215b6beea2a12a9d0c5a

SHA256
f0dd0ddbdaf289b7406816b2e74e43563d123cffd47221208917e11200423888

SHA512
4bc67f21e01b57c62ce7eca85e281d8ea3ae432ce9ba9f7050aa9ed0ab2f33677aa619132d62b7f389c5fa352598a5ce28639f106a6f7db18ea4dc4e787ee73c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ea5bb0a6731d4c760298fa71179b295a

SHA1
bc3062ae0f20091b1ef4acb136fd6a76a7f9d0fb

SHA256
7a1bebd12ca16efada3a2887ff3827cf72b6ce9fd4533d8e7915be30ce16e617

SHA512
10c44061232e4390a8c01fc049e34927c6ea676ec46071d5b79d3479c57a3b118df9c450b56e697129b91eab65fbd7f0d0465e5acfb7d43cffd8bf7613189b52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
b5c9758466efcf9611c482146e8194fc

SHA1
05fa15f5e9f3a6bd769f0b97c3217d8951057cc2

SHA256
9178138c3105910bc9510fb770b0de92852b612095847a7f33daafd6881fc83e

SHA512
4ef03111ea6f9cda52c35cd6f7c6b349cce15a93063a3a2f205fcfcbc6d739195c3767ae2801c73765b303c10dacea746ab47fc8560b5f55f1ecfaf938cff450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a9798cf7ecad1766b1b413a91426f872

SHA1
fad06c7ed7b43ae7e68a5a9f671e83d14ff5e202

SHA256
00c3fcbf5f702ee39c4658b6022b0298d78bfbc52d87616187990462a38bf8af

SHA512
798f69ab0d69836f307c17ef43514f384f7c49fc475fc93b0dd90ba9eec69cb61d5b03e3163d59d287bf6df6b2f768ab70e8ff23c7409ba1229439153258e8a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
7d9b1a05680df258cfde0dfba3add520

SHA1
753901c5ac89b696f34c924ce2a3e6f0122df1fe

SHA256
ede63d20219f9af72e7c362677dd77d6e44d9195055067bd65a1457f16215100

SHA512
99fde8ef6fad5a9ad4b34cd53853a0d9b120b42170e5efd66f4ccc16ca4a857e979a33964e9e978fff2868f6ea9eb81c45acb899b3bbbcd2371ada41db091578

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
15af0a81da9020dc54e8a393ba669b6b

SHA1
c3716560136998c3ab68789ed700fb4e7102ab2b

SHA256
2680fac0a46bf1c30dca72d7bb5cb20db48d936c7ccb068f9d91ea091faf4dd3

SHA512
0c9eb88e4ce3c196f8e1c9b235c96ce6c7a3de660c60476b00fe68a04e81624609395f0910e09344bcee82c94c420029f0428942b7d3fcd33f178dd144166d6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
aa9d6474c33e6f52b17b5342142b555b

SHA1
57433584dcb0b2ef883366700eea6eba25dac098

SHA256
04d407d5a8414492b2a2b89384fc91474f97698ee7c7390153dfaddd8eec5d52

SHA512
286957a6dd5e4a03fc02470e8acb04fc839ad4477c8a9adde4f0b8885b3562dd6e43280d9c7500b17dade4fc6435445a03fbc8867cba4a42f36e9a90f4da6d43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
e4a435f6c94e1d9aca564c9b5dd1d052

SHA1
9e25e3d81510bf1659e391cec04d8685a85fb161

SHA256
27584dd05e57c1e768780cde3b01199b8168315a557799270375f0b1c2e15311

SHA512
49e431ca91bddc3949cb609c045ced6d6842a7de3d16d2f7a43a8a9994fb40c7014f3552a51c3975954255f8be0f61a8203c5ec43a97a225d418a7e77ee9ab5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
57abb6ee56ab55bd60ff7749ea51a541

SHA1
1a22cb44739760dc844fa3e20269b4c415985855

SHA256
b907e354a9904249ad97505b9df5b5fb04c0100d9cd7c5f4d208a7000cdf3709

SHA512
6e2dd4fd2df2998953abd92367b61308019e02811338028af953ebb0dc1c2823f933ea6df4a24f4f0dd522615530b7b9a8018213dc98a1d4355d8eab8d66e37f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
c1eb2fcd3aba499c7dfdc6de892926ac

SHA1
28d0151e420b55c68fdea88501d138abfb9daf47

SHA256
44c3d7d244ac1fe181c642862b135527a14c15fe530e5a6b19fd058434b1ff8c

SHA512
55a925e9d2e5446a6b23066ed6472296a49b6f42b18e9a998bdbfed06a812ecebb4608b930b7465652d4f9693161cf4ba9f7af6fc77fe2bf1040c3770d33d364

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
6d24795aa3e8a06cacfb3ec6b31026e7

SHA1
e6c80ef87c75794b0823f067c5144ecd605a2ee0

SHA256
4c7bd7bebf56719693027a37e1c36aeea5c6dd047491f045eec06bfc4da388f9

SHA512
41ed0e30bb19d324c2b5330d599d6a74c47809c2c7cbdb2aa2b0d1e38624f2ff37813b0806db3d78c8195613453c723f0047278ba94b34ddc47406d0d0c5992b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
32c6c5f47eb1ff99de3b69f8df18ef16

SHA1
816f1773b831a89e6fc9c46c845cfd456c6352b7

SHA256
4cb93eef7a0bddeda7ea07f3886a90c099853f671167dced37e9636b831e76d1

SHA512
df13a4fbe4598721ba4a5a54852a88d5f2c1cc9be437e2061e41e6e7b1ee499889ead567e2e5322fee684c7a6ecc6d0a6444b3ecdd5415e041c86becb0549955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
e4cc592a7b1ee1554e893ffd138b7ef4

SHA1
9be7a897b9d990243b2a689bdc95a8727881b43f

SHA256
fdc8405449e8247150f1843ae87bf0b7f9a3c252281c77f5e7d8cd5636757202

SHA512
fadc1d88e530566c3567e541611fe3c5d9e5cad6375255141c176b8d1ff10f7c9594c2da31656173072b9ad6b354fbb433c94f1cb1ba5333daf1a39af52ab5ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
392cccdd03a56a2158cd3b0b65c8e935

SHA1
01cd80d79232746882f0806e7f2959258d4ddcd6

SHA256
a7fa9b4cfa3514a0d43ed9735370c4388afbd358a9ccd592afc72b6e73f53fa3

SHA512
3693bbb9b6e46e88bf19f823cfa580ce344e0e7c17458c150a0b2c0028715899988d2ac16cabdb026c0ea533296808009c8f78c5fc7cd95560eaa6136fb2d589

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ad834068d6611f30c1a9121dbd59e86d

SHA1
fe5d18f50ca1b3a5597c91f59d5d4b8ae2ea79a2

SHA256
8e4efaa95ae25dbde16da060309bf039d4a84e10b9447aef4a515785ab333a69

SHA512
b720a91718f8246964c863398c95b1354932c6b9f1260e8afd7048a4393435dd1bad04c6515fcf14749293ba5e058a5050f0e81214e9b309631eb3e081f9c9d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
0ed7b934cc56c7bb97351901480fbeef

SHA1
4cbff4366f0576ddf0bea9ba5ef96e70706a5070

SHA256
981e6b0c26f012fab3a5c04156ed8d6b556e144990267ec3280596ddf7afdb16

SHA512
5c8aa2682fb9c31e74eed2f25b783faf3aef2cf0980929e8a779fe91929d690d1a77f2371658289975958b77388b1ef05e85e982b5ccb0532db166c12e4eb430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
c36d2f1be3cd069f1e02f3bf1c684da5

SHA1
93f0b738feb6e45ec5fe2c91fd69a8a37237225e

SHA256
7fff30f7070efd34f7dbd750b49ea1634e01ad8812e9a85fbfad70e9e4b5d7fd

SHA512
f0170a99555369ad4207a94e201723ff77dfeb036e190c12f3aa4448e656255a237d76c78982b61c034d3deae7a77912d7a0e878d4bf10fb682228caabfccdf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
441098f04db49445fad0d4efdc6e63b5

SHA1
72e79bfc9bdcc993a3eb9f411914abf21334b4e0

SHA256
1fc90c027f64c31d54b652825ea3e7c851189be408cee3c361da57321d720d88

SHA512
21f358e06dce7ed975d7a11d7067a4d1cd769689ce3015e453828a975110cba6df85c4ba50f6bf07c3dca911a4689e8a0c9103d5d6a9bbf5d2fc1779fda25f35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
065694b0dd939c4593fc978c5c492b6e

SHA1
4f3756c6d4d2ea26d087f39deb19a13f7a5c0006

SHA256
847625acd8e5193fc6bf27024b44a0c659996561def24bbd0682d18f85e41cc6

SHA512
926e205f630665cd5336240a70493cc37202a0aeb11f0e508e28b93eb2ea182f24565724805e0fa29971b6e05e3b3b5764b153a3f73d24d448eb12b3409b10d0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4dcdfca39965bb6ddb0df5825c42491b

SHA1
f66f56dd4fab33a112994266817d162211909154

SHA256
05c01a822b5d551bdd6e7dd4342b428d390f001bf091b90785a27412775d5a22

SHA512
c2e5a97c4fb3fea02abdc842290b761c453bf4f33b657e883a4b8b4193caf93e8fc9114f2171e4172a707a799ce65c2621ff041f53335d22cb929216cae73f54

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
17cae82f622879a30c863237f66e92dc

SHA1
3c80b1cb448bbd0ca825424b06d6b9a0b072a1b7

SHA256
ca862acf9236e775cb6773900e9cc11d2d34f0d3af79c3e07adcf6a20387d46a

SHA512
9274d5bd0980c3310e51d81fa288eb856a08ed0a7d37b13ebd722896b0bdbb5c8fc6d10e3bcddc156f5ba46a03c41ae7ea2a83694565bfb0724a640372a467fe

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
c9acec636bfd3e33757cac4f0ee969cc

SHA1
11376ef25a7cd089a0717fa1f9afcc5d4778d64b

SHA256
7678781f051361340eb5fdca8373ac57afad863abca6dc169b1aeb082d29a141

SHA512
e34deeb9a93f47b2152c5800e1e62b2dc169a49761435b1d771b6a6c90d67f1f1eca78e25659b1b39e371b494b321b033ec58220a2a1796df280e33329855179

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9b8f9ef5952bec4f4dfc88f086b852d7

SHA1
64afd8582223103fff5e1b1d7f425ffb242e8156

SHA256
e7cca9332dec62af4d1e0df083b7ea8c3674b3d9449376b6dd5250ee54803b5d

SHA512
df3802ee9efc73a3c38a2228bfc69032d958f12a3c43d0fc5c707a4d9be90e7146e085a7fa2bf89de47818b91e62bb1323e83e479c46aaefbeda0272547952ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c4780d61fdfe491e2df11a1e6099e4ad

SHA1
c2ae89575b38bd1fcbf3336b6250c9e3ae0142f0

SHA256
634b2b79c80c38bb776c96a363b828b2f0438db4429b23dfddc9e0b4d8980671

SHA512
42801ba5b2a397e45d39e4f52ac4433e632e7a37cc203ebe4f5cddea75616241d6e119fff1c66985a58309d4f5f5be501b3d2d9be54c2831a127b9f59652671a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
136706bee14337439226572ebb637d26

SHA1
f70f8f7a5b712648e84d514e3f166647b7f2d629

SHA256
4ce24db58e5e86a3e6748c56ccc6aeb6cce67c44c3f87899d5e53f690cd3f195

SHA512
32a1d1a89cddbf2826287f75d8aa60fda847b8e79fc2e911bd8b4a5b4ab098db6867abb41d106309f42811ad17c5bfacf55f37aba565148d26c9c0ec929749dc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ab0afc31a02aefa2e21901d2d4cecec2

SHA1
44ef7adbf22fa4777140ec83e4879d5da40b70ac

SHA256
c20d3cd2935ea62bcbed51e50f52932494a4d9cc476a10206fd557b28874b245

SHA512
66ebdeb1914e5f2fc4843db89af05e52229f34146ef5965c4e2bc0ce787d6ed91adc7e67c1b8bd0082f0749498d8cebdf562016bc73247b08bda2e2c26e58a2e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c35f633107d917fdbdf7c7ab78c0f99e

SHA1
0e46b8b1f31203a305c3a9df47ba2993361aaead

SHA256
c0167d8157c66e43230b6cbea95886215c47bbf8e5c4b69df761bd21759c0ef2

SHA512
d9b4b440eef39e8e29708940ad2614b5568219a3295cdd97fe8a83370bc472c2ad92d69dde606a54689b29249f08a821cc8d493da2c27dc9e1e09b1e60c52016

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
879811a865c61b78dd5e088ce37f52ce

SHA1
2fc22a67807de9c713c1411249446988c6c5f86b

SHA256
d2e1f766ca47d7d8586f48ece43697b42c2f169246e81e2b1c7b134964715e5b

SHA512
243ca8c1deba8e41dfa678a4aeb31fb8c67bc37f32610ab7eb86aa5e675d7da038aff5b22444b0db95e7259f6ac0df8b556e7a2cd392e9c5ddcad297dc737c24

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
db66fbbe5285be65866b46a84aacd8a1

SHA1
a5ce3932a423a311f474b18684f8ef6828b30f1b

SHA256
a0a560277faec06d8c4ce6a0188ea0fad7b09e877d996a236da9fb1406a5ca8b

SHA512
d6ea65fe6adf652c085f3a48e6d155beb4d7c2bf1f539ff594416df0a2b57b0fcfdf89bb01b6b6a74e43a8143d79ad185f5e33c96fd0bd14844b0a24de97f4df

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a388c86ef2c997c8058633b82fbd1e96

SHA1
86033c5de8e8268caa83138bd68ac5d4a47e504b

SHA256
1c300e6b6f9f21a4f86380cd1a33de53c2ca365ace331397f127d82849e171d8

SHA512
d822b15dd4186190737237c043014c55f671a0014d65578735e6f0fd276df051d339675f78e71ef1e6551550e14d5729d53d5c8270ae6faba86f4eb4f0677697

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
987e8d5d06991828c5fbaeb100d7a887

SHA1
bdf4158be7615e66d9d043d7ec626647644b6e92

SHA256
b806679d6cb6755f5722eb7fc25b4b41ec6451ff9531fbade66e15c4f0ec2966

SHA512
726e16120c1d9a537183746fb550db8a2f02b37b63c31a79490ace9e932f4646a24aedcc07b0cc663d3b1d27dfea9ac4cc458be5530e3054525205c02009e99b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
498f17616ed741ca17e1bb8c21c133c3

SHA1
2f27fc0ed7f4a2ac2c81f738892662ac0805b35e

SHA256
046b23e2e458bba7c358e6e2c221c0b7d5e7a2013ab962bdf33d226d061f20f6

SHA512
7e7eeac57ac48dc420620212426e1361159577e263ba89d606c5c1f0e0bd6f7a1310d8a0e14d738b27cf59926617d56dcf4a5824e435dbf7bbf2a59015acb065

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fb45775597dd420309c6575ab1353d8c

SHA1
39ca36b4269a277dd51e0e59ed641dd781ead528

SHA256
032c955c4fc86a5fd8bf3f629ac52668db0e86f54def8a7438a08132a6c34e02

SHA512
02e7221c547e7e879e8a6b4362157ac1b71378a1f4cc8703e00c8bca4fa8097ba5bd4026beef761e6e7fb282f549a1fd600302c68258a6401bd9a6a4391554d0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
690e11ef19cf275a98a66b93c00a923d

SHA1
b51a14a8229f9bfc49aa1f557467eb237897975f

SHA256
5ac7c1b61893ea37b599850ca2f00f8bfbe93ed8a037530e3228fde430cbac80

SHA512
cdf294e7912aa8ddff87166e21cd1377006f5ebce1e0acd5c17a89944ae6c62ea472233c6d868fd7821226b72ecd4c1e7e89c1e91cb60053555075037cd8f522

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
012d80d583e118f3ab5488a05cd904b8

SHA1
61e90354fe96ac1a71b8bc6646a70ab7a02002df

SHA256
fb09adbf8449f027a00849a602ba83be9114d41113a43ff61f26e6fa230be277

SHA512
ef74bcd6cb1a45ad6f2baed0c2ea2b0031797962a5a9c4a40d0aad561078d8c004a5d47400e396d802df89d9af7cc46e68828c9acc7f67c5006e8c63fda31346

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
425066eb890b5b39aa39644eff4ba83a

SHA1
ef3376d1bf0b73c721572174e8dc568e3d66bb15

SHA256
c71f3bca0a8d45caaf9194f8320af77f5ba3a4ce18cffd2b947a726234e20694

SHA512
a17541d6eac0005c4a9f74728e9eeb01b44f418e570c48172c99e86e43aafd29bcdb88aeb73bc06b7d5e2ce551d0ef7796f8a5bea37eae4d7c4bbc48f2061e18

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
af05714389896efecd1cff307f753ecb

SHA1
7802e4d4b8f9386e2c47d1a9334375f367b90be1

SHA256
ed9624d8caf83e1ae87b11f43e26f06390510344d8f1282d9d9aa038bf1243ec

SHA512
b4c08b9dcbac5efee3f21133a93c8a9546cb00749bd0f43d5ddf3a7c4b414f4c0f3f70227bd9c8c387a0d766cfbeff4570fd63276c2899743cb98085b6904897

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
99b64dbe91f448db719761052564f93e

SHA1
f56bbe08b0756a93ee1cb3c3aad015bffce41d3a

SHA256
3cda5ac43443eb50bad1f81a61caee747a7cffe85d5761ae0ba942a5e9062c70

SHA512
f0bf9d304cedd4ea7c0ef11ad159c909e74135cc3bbc9ea7cf2a4caaee1d1f9618b799160b9101f1d914760d6788de9b9fb8bd9d26323e08714162e6bfa6e878

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
43aff966085f3ab13856a577a276b12d

SHA1
7fb46d2afd819a08656c5315a4ffbcfe85d3ff60

SHA256
7aaaac7ba0a65d0a184315dfe3120c1ecd6b20b195adaa54a496a420f180738a

SHA512
6893fa629331b1467781394aa073a859f587ba4de77aa320a7e0a37a49a1356579504c88d952f8d5073dd308c6b59aa9de89c214799b95d88db17ea0b364adb4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dafdd1e55808d9a0c5676feb6b12e903

SHA1
75fff698a34f4446ebe3e0f0245fd03fd2c7efe2

SHA256
d370c286411361f5e2041b1f2fa35ff31e13b1262b2cf09b41592ccc4eceb83f

SHA512
f1de094d2b0fc2eb28e554eb3949c1578072e2c7c59f7fa49166a1f37a60a17d8049b364febc57df949bc633826ad2543bdf2376233b6e6636afa32fc9b7c23f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
0f55fe4492f3e02a7a6acd58213082d2

SHA1
8b8e29b850bb334d23de77f172d764a0bc99a23d

SHA256
0e0a28d8493ccd8557968cf7a412081030373ab2d28a7e5ee0e3618e6c821370

SHA512
228255d433cd72b433d749101b682545102e0fd5637f5f5a6eee022aae3dba2281df977205c214b0824206923560eee1b371d07d5461ea61cfaf4f766b274acf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
a58808e04f78ef803139f5e8a17ca9b3

SHA1
08c16798e9d55fb8c409da8d125817274d502281

SHA256
c0e69f9a1294ff93548c97cbc26a34b765f31390837fe4cc735ed8687f5dcb12

SHA512
91898f9ca3c9da6cb51f2df526b95d077555aca5a2e9354f7fda3d90698d5fbd6525518b9843a69b7690702ae5f235fc66ef9464c0cdd96bda1e58f75ebe5db3

Download Submit
memory/344-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/344-688-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/800-272-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/800-706-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/1032-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1032-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1512-712-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1512-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1768-57-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1768-65-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1768-204-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1768-74-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1988-157-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1988-167-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2060-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2060-17-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2060-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2060-179-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2060-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2384-180-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2504-262-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2504-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2504-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2504-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2560-193-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3008-715-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3008-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3112-1-0x00000000024C0000-0x0000000002527000-memory.dmp

Filesize
412KB

Download
memory/3112-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3112-6-0x00000000024C0000-0x0000000002527000-memory.dmp

Filesize
412KB

Download
memory/3112-546-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3112-166-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4020-122-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4020-116-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4020-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4020-241-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4052-263-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4052-705-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4060-655-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4308-709-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4308-299-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4384-713-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4384-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4548-714-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4548-334-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4592-149-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4592-155-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4592-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4592-152-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4592-142-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4612-216-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4612-333-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4700-652-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4700-238-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4996-313-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/4996-205-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/5092-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-139-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/5092-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-104-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/5092-110-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download