b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 05:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
Size

1.8MB
MD5

7c1e255ed63a6be67318bc80d50f6c78
SHA1

1a3bf1d89be336296ff1d30d1bcbf2f35ea895d6
SHA256

b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33
SHA512

d3fd9322d12457c685bb5251d82acf48641a47cef788349e0531f5098b075972c445cb5100fbd451617167ed4634d8b11845f26de22c26650ec05b6b75279371
SSDEEP

49152:SM9QPdxwfE7WlFwKAfzuTiDFUFkxCks7R9L58UqFJjskU:S1PdVQFwKZCFgAC17DVqFJU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2140	alg.exe
1700	DiagnosticsHub.StandardCollector.Service.exe
4300	fxssvc.exe
532	elevation_service.exe
728	elevation_service.exe
3972	maintenanceservice.exe
4844	msdtc.exe
3968	OSE.EXE
3700	PerceptionSimulationService.exe
3936	perfhost.exe
4656	locator.exe
2000	SensorDataService.exe
1884	snmptrap.exe
4660	spectrum.exe
4620	ssh-agent.exe
2184	TieringEngineService.exe
2032	AgentService.exe
3216	vds.exe
3820	vssvc.exe
3952	wbengine.exe
3484	WmiApSrv.exe
452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d29fc47a352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\System32\vds.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_id.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_vi.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_es.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_fil.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\GoogleUpdateOnDemand.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_zh-TW.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_gu.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_no.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_it.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_pt-BR.dll	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ded916a1ef5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023aa506b1ef5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3c222691ef5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079183c6a1ef5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a9f836a1ef5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023aa506b1ef5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000765ada691ef5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058fe1d691ef5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f2d306a1ef5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1700	DiagnosticsHub.StandardCollector.Service.exe
1700	DiagnosticsHub.StandardCollector.Service.exe
1700	DiagnosticsHub.StandardCollector.Service.exe
1700	DiagnosticsHub.StandardCollector.Service.exe
1700	DiagnosticsHub.StandardCollector.Service.exe
1700	DiagnosticsHub.StandardCollector.Service.exe
1700	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2652	b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
Token: SeAuditPrivilege	4300	fxssvc.exe
Token: SeRestorePrivilege	2184	TieringEngineService.exe
Token: SeManageVolumePrivilege	2184	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2032	AgentService.exe
Token: SeBackupPrivilege	3820	vssvc.exe
Token: SeRestorePrivilege	3820	vssvc.exe
Token: SeAuditPrivilege	3820	vssvc.exe
Token: SeBackupPrivilege	3952	wbengine.exe
Token: SeRestorePrivilege	3952	wbengine.exe
Token: SeSecurityPrivilege	3952	wbengine.exe
Token: 33	452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeDebugPrivilege	2140	alg.exe
Token: SeDebugPrivilege	2140	alg.exe
Token: SeDebugPrivilege	2140	alg.exe
Token: SeDebugPrivilege	1700	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3424	452	SearchIndexer.exe	117
PID 452 wrote to memory of 3424	452	SearchIndexer.exe	117
PID 452 wrote to memory of 768	452	SearchIndexer.exe	118
PID 452 wrote to memory of 768	452	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe
"C:\Users\Admin\AppData\Local\Temp\b5930a7ca482f00f477193553b7801e4e7cce2b6c39dec8817328b84f6769f33.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4844

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4660

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3784

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
44f2b99e09a6ca2587dbdc9232a7e722

SHA1
1d85513d1d3bb30a5bbea61db017e460b3ca6018

SHA256
65790d017772302d32e0108ecbd0af86e51624a3f9ba1f586b7101d96eaf9818

SHA512
3672f9ca884732557cb47c3781f48bfd3ba50c879291c222b2a5dec9a9a30b75541bfdb7cbc5d2c00afbc682dab2119f8594bcde06fcedbacc5d8b7207a3dd0e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
9e380ffbdbbf2cbed4a5f6d05ccab4df

SHA1
b05b0bc103619d5d13d0a4dfe0e0b5b69b85c6ea

SHA256
20228afe85f85b72bc37e2916f63786c3cdff2a914f60a4c624ab7d202a31192

SHA512
19831d743cec02a385adc618efc4a050c747521217f9e100c9514833b71569afd6823e2abbaca120c4b17b51846aa0d6e87db78191c907a48c22ccd48a204c82

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d2b8db58c82d88f16e1e8e81d43def37

SHA1
29a6026eedab735063095aa29000ccd8a6a3d0fa

SHA256
4a45b5908b895fd91a7096151f50b616646f241cf45d9b81177562795293a23f

SHA512
851c7806fecfbfca84728ed19d23343b2799bbd38c1fa348f32a25d47e38b0e7bb0cf4235f5bb34983e0b0c519bb603cb2e9338cdebb0d8fe130ed53c7b79a5f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c6a0c2022e2095ccfb1714bcee765e99

SHA1
5d608fac1ea5045e0d0de32b1e5305474ff4a46f

SHA256
a347e16b16292284fb7d6bc130683ff521b16e05c816a99658c3769ac7ff65b7

SHA512
01118423def137798be57726273c0fd526ba05c1fc36269ae2ca06db9dfc45a04a600acabb6ca454a5380aae6fc4867412c48901b278dc40c6cdcceab5ffc49c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4bb3a353570fe77d2d7e780bade53689

SHA1
cf4cfdfb407809741e47ff2788c9125c5b51d463

SHA256
80470fe42dfd2d12e8092d7bf03dfd983b6f91f40d813111993031a452206c03

SHA512
9ed02776ea2a48aaca9a9dcefcf5ed9e4e4440fdd6274fa6ea8e3fdcdf673baf09ec3e64c2c44c71e121b57fb86bf57afd5ce8d5a5efb858cf84c8b1aec14088

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
db5d7eaa902ceb790ac7ef8d582a05cd

SHA1
9cfc1f20233d786fec3aea9a2cd7ccefdf2d78b3

SHA256
d81ae2ef916bf2f27bb883045c7a635fdc27533e2f23e64525751ecef3076bdd

SHA512
f187503e2f4ce06315589c58a831e964a76c12c4d9e741779769396b262188d14c0ad7be91cbd5e2ce1f8ac8cb061d3f53910831ab9f74eabde385c7c032f4e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
01ef086c460695d82dafe858f99f8c21

SHA1
55f28a18208e16ede030d92500c92ec59886f0c0

SHA256
86529e2f746cbf74a7686a0344ee6c90b76f98ac12b903cf74b9edc5c1d1640a

SHA512
b323a416fa54dbb363462d41787a1942b02c94d63ce24a5d12fde8bc4725100ca4837a5843541af9854ad3b2718eac24500184f5e7e0fe43f847ff9bcb3a38af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0db07123db9a2efdf97f1975e2ef4973

SHA1
9d0c8c6b4ac9edf72a8682725b7a1799b91e21af

SHA256
4e3ae47ba6da89641765108b1249084d9b706f56c7abcfdf794ffc70cc652c77

SHA512
d4a1493b76319cce293e85a8ea9911087e761433120140f7ea71b6e7f0f444e46bfb5debba1824bd7ba969add19261ab726d51f4c842fd3404943f6b0028dd69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
20e617ab8dc48b78446497021717000b

SHA1
982a23208441baa3eeca16126dc37a0b05d11eb3

SHA256
90d4e379f6d16cf9fcfc136758974f6a1a91a4631444e5b466a3f43575d8d013

SHA512
51e2804150aaabc82ecea37e3281d3ddece9d49adcd48468f36abfac011197e2142fb6f5c6001b6ba5ff66be05978d4b5398ca8c61cefd6d621548919a8f1b56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
89cbcb95d17104be86a0090c7331938e

SHA1
2930ddf8085e81752528a016d5c65303459e4c84

SHA256
6b0f826ae481638d591a77984ad5c4d5e094ff2a3a7d777dc5f3c8fa0b2824d4

SHA512
b9c8f2c7bf9f9612e437ed01d7e47930273f63ecbd1c7bbdc34f67c98f227beba586b39a662cbdee029fef6a2a5295973ba2490393d0e48456b398755f9a1172

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
794104c6c713c2c5b22997fdc828cfb5

SHA1
9921141a648fe2333b430db550c59776afa4c7c8

SHA256
f6e5430aa105a564a3e6215aa963331c7f43e7cdb33e2356aab0ca30f70d30a1

SHA512
7f99aefc240860d25ca308d8097fae6bfd1b57f1d8aa25908ad9251fc39b1ac48fde53e430e414775d2decfca3fc24a02b87e3180a0670c31e5fe7c11fc71367

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d4bc63ab591bc22271f59019bcfa4dd5

SHA1
26061b2b3ae54bd78d3a288bddaeb3c165d2babb

SHA256
506989562037b511139537eb2bbbba78b716df8d535353a6a3babc37bbac402f

SHA512
2fa6a2822a89fa34f2f644bf6ee506e60a56ed2de28aace6b30bb575b568dfa0415a8862f131d437775d8d7f1164162f9f130bf9a14977fcfa2fb387631bdbbf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ec394cc217703ffdf76a23635bf853d6

SHA1
e4aff0141d190a2de837677aed253c4fb76397ae

SHA256
bde242aea350053e8c82f84b210e93bf2a8d57b70f4286ccbc71f9ac13439d0a

SHA512
6093032d44cdbb3cd74d86cdd6ffcc4601c6e7be963cbc650a06dea0ae829d923d6373d852fb34e9700b2220e3ae05e0cf8c10d0c062ad294e97cdbdfbbd5022

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
0330b15fcc111d362bb70e498ba77801

SHA1
b1e2e09ee09b6c1e8dc653efbbc643afedccf20e

SHA256
63e83e216c750979fbe91c98fdcb25dc260184194da4fa0164cb415244589d0a

SHA512
532d630a48c48b3916f04146a831fc84a88043b6da063563bac1d7e228362af0fdf40b73a47319c8e6b7cfdcf1f643ed447cb57b43556cd2ae04d1c892b32462

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2621b96bf191a1b6d023518e55077624

SHA1
38eacbb3ae7a09f47ca14e38d4378e44a5932169

SHA256
0fe66d60815c9d23078fb51475718285dbfd288902ca862a9a23b68588b4e3a2

SHA512
bafddd49d0a35b4c6adc5b3556eac83a85130e35ca0877033ecc7cd7b36eb4892cd866f17ee64a9981ac5313706d0734c49d9660abd2fcb6eb5cf3bdc0cf68f9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
69b6345102d888555952fa823d5db513

SHA1
381926c84b4bb5cbdaaf6ea19c466ac9ca0c0b0c

SHA256
5cbd49b19ceba136f5ca185e090aec811696a7d9f3cc913d1e4e2f79d2b28578

SHA512
e75492a80bdc3aee689e0c482eb1e08e772e5b5697502128e41434e9435610749a18f0f4242d01bc18de604f04e615965841e554323f6495b2703b742c05d55c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9fda0cc1b3da6279f90973252fd4797e

SHA1
d342018e4e7bd4acf9d1b2ce1857b7032d0200ec

SHA256
73931f07e5f7cc938c3d52701bb9cd584009ddc3ae9c889b84fe57dda0400377

SHA512
1e3c40749230204b8f9244d7ab7c3b59da732552e5dfe42812db6d0fdaa72ad1e99bdd1752f55c9778b6a123305b26ad8240aa12120e7a8cac3eb5e51d80a68a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a2a86e1cf3ce3714659491000f82e5c7

SHA1
42c3c5e1c1ff01571c10eadb57b3bd8a08d034f2

SHA256
7d7ec6a51dd9ee6ad11d1f0519bbf640acade95a93ed798687c3dd76107bb5b0

SHA512
c052c69a01578183576983c9b07975fb04d49169dee56d59b781bcb6ade79acbef959245fa2ac7a68aa5481532f1d2e187f72c93d7a9c25bbd70018ca9f3e939

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
241dd819c034ce9baf67fa8515037b16

SHA1
1f54123ac404a2deec5346fe2890d0d647a52e58

SHA256
75eb39588c5d893ad39b5133f161f0abcab683ffa39e434627e2e1aebd081645

SHA512
fff2cf8510e524697e2466710e0883248e0909ccbb60b44f6d650d08ff2c2f0475f8e46dfbe33c78d8445b1e5dceeac78028ab42dc36e67720e1eeef4709cb70

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6f66b37daebcea4cd7dc3e55894b5265

SHA1
dea65fee4fb1ac40b6459a3794d2288947368f12

SHA256
525f10b87ec940cb5a12e628c70a5a1f8ef6e18de7504e8c6d4f7cb4355c980d

SHA512
42c75981ee260429df0862619dd8f7fd6e4f14a62a0cd5c65477904a08e723064c542c4bc86fc40e1397c98acc22a35e8509f8c8e6248ce4bcfd91982b438124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
9ef19ac5aafb1bbc781db9639e066924

SHA1
23f193f1ac02b66db0d7b8a095aca217d7c9a125

SHA256
59dfb565007f74d1d7fd17ff48857e4d51b841447c518cd882b9291ef2862dbe

SHA512
b1666d73136b841beffe8c70ea1130a06d03cb60e778a8189c50d7ac605094e70ac12d958e4e8ec038521b3d3821f2180bc5e0fb34b533e3a46acc218e771c19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
ff5dcf86bb09c9b5c7366117a41e3cb8

SHA1
bffeee801952811182caac84dd4a877e80b3c623

SHA256
105102fe441dae14c4599b4f4d5b6b1d004cf0e47c4fda588afcc74fec30c6ae

SHA512
eda6b52c07865ae7e26830a6be2a474114248d890000bff58fa26f495f03d23e569df2239e2fa76d5eaec611a9a12137d80a6dfd6a3cd974a4c35ab71c99ef78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
7159f3f54e94baa52ba512c913bb8124

SHA1
b7a5d1d1061f28b32a30aae9e0d8c34a419c711e

SHA256
4d4dc5050fe83c2606695f54ca09d280a5291106954f953a98ab1745118f402c

SHA512
080adb02fdda6c439e0cc60c829a3bbaefda585460c0ae49d99f651b8d4e4160282cdfc33f1155301bfc5e2f07263e67c1f6a038a17b27f255faf035aaf0b034

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
12325aa6a32f4f0a725f0fadec139a74

SHA1
75074a2b4edad39744932b4ccb6853aec98ee9d9

SHA256
76b859c59121cfa768fde4908e68c385484a849d66f4b1a4190e89e5ebdb7c5b

SHA512
0f26c14214918b3a6d3d6ad4f93802828b2af96f90314414d4a7a6e84683fbc7c23c60110b49dfb04b48555596ae836bf7b1620b61422390a878f47e0b09bbf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
9412fafcc85a8cde69e9e5a4cec36fab

SHA1
8a2f6477574257cfd1b88f11e6edade40f8b1eca

SHA256
d2efe9ea2fbe8a0d82b1451ead8221b79ede0e2830ceae08f02c407ec2a75c0e

SHA512
951ddf9dcbc2e4f995cdd0bb7bef0848424911684197b101f7ef66a6ff4fa1fcd7b2df7cd883bd2f1a33a9786c5991d2eced850c9147e7599e04b32b0b05c73e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
c6ae9429f88c27a35ebd1398e7790cea

SHA1
6fb9e305c4487f58dcf268d806025d9f18fafd20

SHA256
302c0d7042fb6d93daba5f6872ceb8b00ac349dbf7cbdc96f5372cc2f1dcddc8

SHA512
9da2683d26356d288c9a8300899492225d620d49ca9755f2b6dde8e44fc08d47266462e84d9ff0aa680ca89a5f39143d3161cf1b116f21efed1b6ec61d4966d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
95f8ffb8a23edc38ce0f388e581a17fd

SHA1
b743afa88812f1e0f7c7490e4bb7d5e8d129fe7c

SHA256
6474831ab34fe91491289eabd08043448a96701380693760f7f3a2069173da72

SHA512
82060e677db0363b45d1de9812d6873fe74f29328dc8a3d70f181d159aa3bf69285e6f39f212e6fc218e59861a8d4d3e439b4365c55e40e55d27b42418927ba2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
758acf9fa13abe04574483d8cbb6c591

SHA1
8f390f4b75889bff90689a732f3211bc6c2691b0

SHA256
18e67b19ebb7756c9a64018ee00c37f85709e3f799cbc9e1d245ee83fb88c5cd

SHA512
dff9b4d5ac76acab7075aabb09660b7c35cde36c111c320a8362877c9c63588b6461d7c77e8e963775a66e2c80f33749f91257d0b242638a59c52a8112aabea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
10e3e28d3670f727b36255ec01cb671c

SHA1
395fd0cc13e553f899ae9aa2c0cde6778afd8962

SHA256
a23788908d54896f30a028e4f7ae4db3b12390938b26cbd7113a833ec4796525

SHA512
b977dd4d0417fdc611675f9818e7f0c0916bf1e70c7542d60f459bf470192f9976fabeca778447b0b80a7e0d2bed7f3c7c4ad3a810cdb6b14cf900e1427e2f7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
06af47398b786001661bdd83c63b4f80

SHA1
0544cabe54e2dc0355e025792542376ac20948a8

SHA256
6d4a7cd7e3d7586603601f689a1b2097ceb19c5f1412457d3920938254c16f8f

SHA512
00e52a837ae93303458a45a0e6e669ffa57bcf9adc6aff4e4daf523d4d16150a02db72f90c06d3dfcf766902df9c25a78f8b8678bb66fb33d2fd527edd93d952

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
cf40f0af95e538ec9fd2cd4c58c1d46d

SHA1
23a6383414221296e0c444b8891489307e2cbb78

SHA256
76c04d89c6fa562cdd995184e1c4064af4f2db8dcabda4dc1bc97c1cc3c5ec0d

SHA512
7d253453c11b0d5d8a3663d9fcbdd720558cfd6082fc4552d7a78e1dddf9809ff5898f64e8649e2824aaa45b901f249801007c9bf70fadea1189b2eb75ef3641

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
937a17a214ffa996a9724290cad7b113

SHA1
b305b2416959b65604089bccf56f7ea7a59bfe8b

SHA256
c300b8f7b02acca847f7d3bbee3f2ac406f0ecedbc8c525e8ea71cbdd3fb31a7

SHA512
2359fc44207601a16a978092c6c99b0533ad296cd6e8421f86fdc9e4e9d76d2d53fa42237bc48a90a289b625c786a7c7986baa4f447add0fd5791e925836ed6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
6309c893a3f35ec5407fa65da8888588

SHA1
eb6f7c5f65a97130817c9eaa8e05d8b152d25450

SHA256
f0abecc57554d1764227873d49bf12d1de372652e89044e1a29c4f23e4948b08

SHA512
806dac0a81c801878661f514e1eef828562cb923aaa47172e913aa5ba05f1a07cccd87b09c7e7eca60189f840f332eb3e42c03ef0637b0bc3c2e88251d730d3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
00e0a0a21253ca6fd07d98c1f955877b

SHA1
d5eed46dc87a2dbc5f7bd3e5ec6dea34a462f550

SHA256
41939af67bb4b136a9ac39aa84d2ed53c0f7db3ab11d4dbc2948bc5c4f96b9d1

SHA512
4dd78c0f9ea0cea7f5e2dc1841f387b59491c42dbaefdd3690d6d85edc3d7399a9e0af8df50547b0b764b313e5e5361c4ab51456f05145b50ea153cc9f9066cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
b1811f36839695d200454a33fc6f8774

SHA1
983fbb1dee65fa4dc956d1909274a8f34b8b31c5

SHA256
57dd076c9767bfd77b1a3b02076c837e94f3fe7ad34f648eeae5c88d8c8bc91c

SHA512
2f55bc5995882f68dc9c8c2c0717f1aa232f06b4638a1541854b422217e4055a0dda40e669f80d966d16cc16ff3952bd02ed80e5400d37fcba5b35ab21f4ff85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
b15b49233db42179f834c1a6540ebd32

SHA1
840d1fb5aa7a4ec9c5e77df7339452a51d1cf126

SHA256
0e3cf125836ff91391e6cb5d3724cb4153e3c938ed384e7098ab0eab007b73fb

SHA512
3ee803d9396c40af00de199e8ed803d3b8f91a8de350e2516c15f922c63cf3718a0d372e44e401b390e41c96ac08f5ff51c660a7fac5c4d0f6f7571c520d80ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
29546e1aa3cb3ddab7debd6c56bd8dd9

SHA1
c2a4280711d059ac93092d3edbd6449e503d1850

SHA256
5896ffb5587ebba67d0cb01ebbc0c50f5985bcffadc97878fd2912604ec719ce

SHA512
3418066a654dddf73a8738a4dd61bc75ef923a98fbbef171bdd4b1c6452b3e9435b21bf8f722b86ee0030be39df7cced5637a040fcc29ea4da7f5f0b4766b650

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8a8cb3b7a41b5d05cf56c9ca520934f2

SHA1
c0f73e6fe4c4fdf475b27efc71b6b0b4904c64b2

SHA256
f02f8ac6add9ba44d7da71181257cda396e789a07b70280d4d16625f2d46c785

SHA512
385398b917af3acd57918f305993c6ad8431a73e2a5891c9ba76886f82542fba5e454d13fb32e030e4eb897172bf02f9b2dcc790c39ded6b32822e9d872104e3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
9ddc1a7fc26e5ba79898744afef267e0

SHA1
44d82330146513999c1810c9237538d06bb7dde4

SHA256
70cd7809974f9e03a47a09f9a01956bb41a2d79e1244b31d5c248a9f2a2d108d

SHA512
06535392a96e4b7300139b3ee4ec8dfccf77b8dc4ac9cb05a0925a8fae50fcff1396057d90b033a90a590ffa58258c15f52ef4e3b9dd175a34a9f2a516e42b98

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
29447a104a30f18145db15a7f237e22f

SHA1
421ac62bb1f86794b8336f133ecf686a766b5ac4

SHA256
a5fa556af7eb114a71cbea3601566c286baf0b59d702ebc8ed6f7ca8dcc90ddd

SHA512
6740e297292514b329f2edc7f2fa1bfb04ccc79262c2dad671b2674b20c3370d3973f6c4843f6f591fb1343f78a7afffddca42e5fbad5d65774e5538beeae863

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dea89015b2b68b42cd34ada4e48e8a41

SHA1
3e3cfe3fc68f47ef29562c358839c9f8a6b1e283

SHA256
30274f9d55e72e70fef433cdc980ba9005469493d1158d5f1a5c598637a7dbbf

SHA512
b7ba314c1ba0546afded188bac5053e65f89cb858b0b81b53be1a8b881011b27aad4d59a4ed662fbeccfd0dad983b75f0a07969a307f5176bd5e6c398227506b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3194706bf74cff0f5edf324719bcee27

SHA1
8188352f10ec7dc6b07375c564e82c1f0f70d42d

SHA256
edbe5c084edabe5d23397d8c2c7239afdde3b9e024707743daff37542da384e2

SHA512
725dd55bd9b5c38970ef430d2e34c9e8e8aa51169ea278486dfdd3101d3ffccc05a2722f6faaeeb033cce1966ecaaa3aaab5bc6a7171f56a8077e0a7a0afb22b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c2832c313f69c148f94b7b9f87dc9364

SHA1
d92fc456061a22c347dd722542785fbb51388c3a

SHA256
d591e5232a565043485fcf953fc2d354edfda98beef2b0745e006e75a5fac403

SHA512
6186b525988fcd8e5fa80c6f4bbc1796d9aaa48c7d273c84503beb55f694e84260b3851fef0bebf05a8e38901b43b37b55df86c6064a3605edd2bd7058e6aa97

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
ae755b5b1dd68ca1d7e2c63b10c9bfac

SHA1
a2c40f95b658ff57f529a7d6baf353ab0b77082b

SHA256
a23a691157d21908767189ea392fa3d988effb485b1841a30841c43c5b2bf385

SHA512
a809a48c0a4a65a773e3596b20546a5619ec28c1557d2364574557bcffb3975b269493205a7284658371e71598ef1d54cdb640b9cfb804388b176759bcaa9fca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e18000a5e905455daea9c60cf9fccf09

SHA1
034f6c8ad535876c3c931f95a8b9580d334b7594

SHA256
245fad10d776e9abeb165e7fb87e87f829b65acb1cc6e4cb8ae511c137b83b91

SHA512
41127f6562b3c8194832fc9daf82d5ee3e60a5c554e6b3927fda80e02f84f7806b6aec13cd651b986900bc65953c489d990ea62784f8856787121b690cafb6bf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
7afabe62877b5bd4595fb918ab866bc7

SHA1
5f4e345218fc79cca579ee4b14d25dbef1547e2c

SHA256
9478e709f542d59b1b57f9af3845bb7675a3a05457d357b8c3656b40df803383

SHA512
6411ea068e51e26028b6af68b58b16272bdc4964ae94c5a4f0e7c051935f9169c63ccbff4b51b3f05e9edb3fc3b7958f855c8c3457cc1f0156761eb693e517a1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
47f81343084e36f48f0129b8c95882f0

SHA1
9a8a6fc3fa30852233ec9d48fbb92221cb09a568

SHA256
6cab319963881fda9566260d51dbf3ae5beb0de66bbe1905980c3457080ddf0d

SHA512
ce313529056cf4d1cf8168d364e25f589ea2706a00cf25bb94a8f2e9e708325848d0a77f5d8f9677453afc649c5067595837e52b37e182c92248aa6b19a085ea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ad17cf71111f6b815464736accc5d0fa

SHA1
915a13995acba3e7a01e6a3f54f72d763600f0c6

SHA256
8b09875e4f7a37dfc14902e8770330ee376941cbfab8c617cca10c007dc9d2a4

SHA512
e133b70491d66b930c3c7b45fda6e0ec9d9a7900def2dc7662cce31249b5c0631f59684bda2a005bac36492c0f8b0d2af9b97cd4a2acf613273c6e55f77bd05c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d40aada85cf09553db3ec82aff33d515

SHA1
9fb58f5a787be82fda96ad0b2fa2480f21c86c8c

SHA256
b2a7040c5a003954d78d3d53421b4d6bd3b68f9b3d5bf5f0f26070d964bb9abf

SHA512
e160274aa17bb8d2e83ce377b2ab35a4c18580b163679d5f4d57a36c423cf4feca23864cecb327c6203f64970cebfe10cf7c52c1fa5cd5391147a198302e9b16

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
9356baea896e252303600d8f3291faa5

SHA1
0ac2b12644235daddc4e4cdf0955fd27f34f426f

SHA256
2766ee596214d0238fb9ab2dc44d6384756f432699fbf21dbae221ad7f88f437

SHA512
6bb04ede4cc39ebd248371911a7935b3831cbf1c88a0208fc1f697276b4d02fdd5b6b48d47235eaf690604557ad9b59571bed15e02344643da4eb0e850d8fe23

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b305141522bed9b60d719122c6374077

SHA1
405a659a91381f1a38cbac551aeeba836b45f7ec

SHA256
71b7e429b1487a779f9ad0bd2c93bf6742525d66085a9820b161453452e6cad0

SHA512
c81f3ee07a1de25baecb106c5dd112af65ca9fe6b3ffc4fe9b977ac67d84f5ddcc1a55c5d9d2d0830ef108098e03e28bf65eeb53c3775471b4689829828a424c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
642eddd2a4a1aab6865391d2bc580929

SHA1
81976c6be47e29c9ba410e88acbdf42dddce60f8

SHA256
fff4c056996da28a96f95b6efbb3a028241a8ed81563ff7f528209f9646db617

SHA512
2e0694aa76cbfafd71b7cd2050e62238e30432e5e89f5c25c94f0153e2ceaf55c9b3c7dc3419926a71d4ef15118e4edbecab31001c6df64df24d5994b09766b7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d04183aa7f3b3a3a00fc4a6170079157

SHA1
c2502938316971fe95ae8d8c124c745868dc4f95

SHA256
8eed1c9e2bd2d9beaa4b8965e131856bedb892fa50078caa32999a674a82db87

SHA512
8769af3d91698d88c9f2bac6667b2afc919b4ac871e4b7d154f41def4f4e25792aa773c76ce089fb2de413d01d83fde5c664f243d61f863aa79eac5c755e9127

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
31502ec0b8426e4438a248860765f092

SHA1
1aacc105fc8ef543b69c4625acbf1a0dda451463

SHA256
18c6330d127e8f7f13d197635bb42fb78742cecde69d0eb1160033dae0416fd2

SHA512
585932c0ea7aaeb7b95a040b6123e00eeb857c9b7be1374b93ec8d9abdbaff3f7c5123f6928426950654a8a63953f54e3173fc91e8376bd6113b8f669edadaba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
33ed484a8eafc55e1d4ae4f3c3d4475e

SHA1
2dd500e73c679a929215c438d7cc7494d1d8587e

SHA256
063deb6776ed3a223458524c433bafc5bef5964f671c15b99a08f71cac786e25

SHA512
c296c90f8edcef212947120167d877b17b575439b6c28931df734eda445b6f4a2f2d54c962bfb4c8d85d0c0f2633d0a30cabfd0de2430d9bb7f82bd0ca8e83d1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
b506dd315f662eccec06cbabca5a98b3

SHA1
f629c799a5f3b3b95dd851751738146eb52f979e

SHA256
257bb351d664e7a79ea7562ae7f11690b0da4e256b946f7a92fadb3ea446fba4

SHA512
6d416ac5e24c2a79a7aaa4cff2252bb5065da834c6bef1b9d9bb69a837ff36a99fc50bed27779d1dec1dced1c18c7ee392d465e1b20f33cfe8c5d64ef6d2475a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0c1df0b609588febe4ec8daf082f921d

SHA1
f04b1337e47d2c583f6c1ab7a856f47afbce039c

SHA256
7432c5ce71e629003081cf21e9b9e465e9d29aba8a15a9f0ddc3a95e4467e18f

SHA512
99ee78d6d680029f5a913e2d8f453c5cf099f45c7f2b8acbaae5cd0cbf8ff8b8c6e3ce8b1408bd4677c8e3692a3d44e05de861cf4f8e6b15feac404dfb0889c5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
48da1ff4b28e24af180d27dc672eeda1

SHA1
1f8b815b206b92b804e506a980edc75921a2a7ec

SHA256
003569244f6f4dd61ec518b7f94c5657deb1b99092f415f155db66840fdd76b2

SHA512
ebcc89c734ba1c71d641c1cbfdeea2420086a95104c44f9447c2ada3063f61bb29335e51fe61eb3a45cd75234bc7903173f32c3314d6349d53705fbb0b72deeb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
ae1009fa6d476553348ab7fa9f4b685d

SHA1
03067574442f60fab9720cb5d224a7649bd32200

SHA256
c2a18b3c7854cfbd56d64832ec6662b9b847af2b4ceeaadceb2648e76462ba0f

SHA512
95e39aa3fdc48ef6d8866aeb4199dba74c610bbeae57b5a24bf211a1c62733a114d535d33ebe2a58732de28eeb32ac9d4bc228d82bbd897e710620ac707d2d26

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
aed9db7670356cb06d1b512614f6e1b9

SHA1
c8b1eef0d85d36eec9139c46b757780b4a32557a

SHA256
fcf561ff9f5d613b4f20a4250f5dad11770f3ecdf0200e74b8261fbce6e1a17d

SHA512
a147afd31a998213cb9a07dae07cb6234043948689316697a9bd83165bcc3801072aa0229573a4885fbeb5de8797fd455a8f5e16464714f376293acb427dba72

Download Submit
memory/452-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/452-838-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/532-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/532-123-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/532-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/532-117-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/728-134-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/728-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/728-128-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/728-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1700-92-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1700-101-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1700-102-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1884-223-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1884-404-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2000-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2000-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2000-752-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2032-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2140-174-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2140-14-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2140-19-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2140-12-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2184-682-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/2184-259-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/2652-509-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2652-152-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2652-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2652-8-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/2652-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/3216-286-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3216-772-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3484-322-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3484-836-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3700-186-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3700-297-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3820-834-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3820-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3936-309-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3936-197-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3952-835-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3952-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3968-285-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3968-183-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3972-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3972-149-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3972-156-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3972-153-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3972-159-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4300-140-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4300-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-141-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-105-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4300-114-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4620-256-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4620-626-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4656-200-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4656-321-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4660-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4660-429-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4844-270-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4844-158-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4844-160-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download